Adam Wallwork

**Name of the Vulnerable Software and Affected Versions** VirtueMart versions 1.0.0 through 4.4.10 **Description** An unauthenticated reflected Cross-Site Scripting (XSS) issue exists in VirtueMart. This allows an attacker to inject malicious scripts into a vulnerable web page viewed by other users. The vulnerability does not require authentication to exploit. **Recommendations** Update VirtueMart to a version later than 4.4.10.

Name of the Vulnerable Software and Affected Versions: JS Jobs plugin versions 1.3.2 through 1.4.4 Description: A SQL injection vulnerability in the JS Jobs plugin for Joomla allows low-privilege users to execute arbitrary SQL commands. Recommendations: Update the JS Jobs plugin to a version later than 1.4.4.

**Name of the Vulnerable Software and Affected Versions** JS Jobs plugin for Joomla versions 1.0.0 through 1.4.1 **Description** A SQL injection vulnerability in the JS Jobs plugin for Joomla allows low-privilege users to execute arbitrary SQL commands via the `cvid` parameter in the employee application feature. **Recommendations** For versions 1.0.0 through 1.4.1, restrict access to the employee application feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VirtueMart component versions 1.0.0 through 4.4.7 for Joomla **Description** A SQL injection in the VirtueMart component for Joomla allows authenticated attackers, specifically administrators, to execute arbitrary SQL commands in the product management area in the backend. This issue enables attackers to potentially manipulate or extract sensitive data from the database. **Recommendations** For VirtueMart component versions 1.0.0 through 4.4.7, update to a version later than 4.4.7 to resolve the SQL injection issue. As a temporary workaround, consider restricting access to the product management area in the backend to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hikashop component versions 1.0.0 through 5.1.3 for Joomla **Description** A privilege escalation vulnerability in the Hikashop component for Joomla allows authenticated attackers, with administrator privileges, to escalate their privileges to Super Admin Permissions. **Recommendations** For Hikashop component versions 1.0.0 through 5.1.3, consider disabling the component until a patch is available to prevent privilege escalation. Restrict access to administrator roles to minimize the risk of exploitation. Avoid using the Hikashop component for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ConvertForms component versions 1.0.0 through 4.4.9 for Joomla **Description** A SQL injection issue in the ConvertForms component for Joomla allows authenticated attackers, specifically administrators, to execute arbitrary SQL commands. This exploitation occurs in the submission management area of the backend. **Recommendations** For ConvertForms component versions 1.0.0 through 4.4.9, update to a version that contains a fix for this issue to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Hikashop component for Joomla versions 3.3.0 through 5.1.4 **Description** A SQL injection vulnerability in the Hikashop component for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in the backend. **Recommendations** For Hikashop component for Joomla versions 3.3.0 through 5.1.4, consider disabling access to the category management area in the backend until a patch is available. Restrict administrative access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JoomShopping component versions 1.0.0 through 1.4.3 **Description** A SQL injection issue in the country management area of the backend allows authenticated attackers with administrator privileges to execute arbitrary SQL commands. **Recommendations** For JoomShopping component versions 1.0.0 through 1.4.3, update to a version that contains a fix for this issue to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: JS Jobs plugin for Joomla versions 1.1.5 through 1.4.3 Description: A SQL injection issue allows authenticated attackers, with administrator privileges, to execute arbitrary SQL commands. This is achieved via the `filter email` parameter in the GDPR Erase Data Request search feature. Recommendations: For JS Jobs plugin for Joomla versions 1.1.5 through 1.4.3, consider disabling the GDPR Erase Data Request search feature or restricting access to the `filter email` parameter until a patch is available.

Name of the Vulnerable Software and Affected Versions: JS Jobs plugin versions 1.1.5 through 1.4.3 for Joomla Description: A SQL injection issue allows authenticated attackers, with administrator privileges, to execute arbitrary SQL commands via the `searchpaymentstatus` parameter in the Employer Payment History search feature. Recommendations: For JS Jobs plugin versions 1.1.5 through 1.4.3, consider disabling the Employer Payment History search feature until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the `searchpaymentstatus` parameter to minimize the risk of arbitrary SQL command execution.

**Name of the Vulnerable Software and Affected Versions** JS Jobs plugin versions 1.1.5 through 1.4.2 for Joomla **Description** A SQL injection issue allows authenticated attackers, specifically administrators, to execute arbitrary SQL commands. This is achieved via the `fieldfor` parameter in the GDPR Field feature. **Recommendations** For JS Jobs plugin versions 1.1.5 through 1.4.2, consider disabling the GDPR Field feature until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the `fieldfor` parameter to minimize the risk of arbitrary SQL command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.