Fábio Pires

Name of the Vulnerable Software and Affected Versions: AcyMailing Joomla Component versions prior to 4.9.5 Description: The issue is related to SQL Injection in the AcyMailing Joomla Component. It can be exploited via the `exportgeolocorder` in a `geolocation longitude` request to "index.php". Recommendations: For versions prior to 4.9.5, update to version 4.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `exportgeolocorder` function in the "index.php" endpoint until a patch is applied.

Name of the Vulnerable Software and Affected Versions: JCE Joomla Component versions 2.5.0 through 2.5.2 Description: The issue allows arbitrary file upload via a .php file extension for an image file to the "/com jce/editor/libraries/classes/browser.php" script. Recommendations: For versions 2.5.0 through 2.5.2, consider disabling the upload functionality in the browser.php script until a patch is available. Restrict access to the /com jce/editor/libraries/classes/browser.php script to minimize the risk of exploitation. Avoid using the .php file extension for image files in the affected JCE Joomla Component versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: JEvents Joomla Component versions prior to 3.4.0 RC6 Description: The issue is related to SQL Injection via the `evid` variable in a Manage Events action. This allows for potential exploitation. Recommendations: For versions prior to 3.4.0 RC6, update to version 3.4.0 RC6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Manage Events action to minimize the risk of exploitation. Avoid using the `evid` variable in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: JNews Joomla Component versions prior to 8.5.0 Description: The issue allows for arbitrary file upload, which can be achieved via Subscribers or Templates. This is demonstrated by the ability to upload files with the .php5 extension. Recommendations: For versions prior to 8.5.0, update to version 8.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload functionality in the Subscribers and Templates sections until the update is applied. Avoid using the file upload feature in these sections with untrusted users.

Name of the Vulnerable Software and Affected Versions: JNews Joomla Component versions prior to 8.5.0 Description: The issue allows SQL injection via several fields, including `upload thumbnail`, `Queue Search Field`, `Subscribers Search Field`, or `Newsletters Search Field`. Recommendations: For versions prior to 8.5.0, update to version 8.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `upload thumbnail`, `Queue Search Field`, `Subscribers Search Field`, and `Newsletters Search Field` to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: JNews Joomla Component versions prior to 8.5.0 Description: The issue is related to a Cross-Site Scripting (XSS) vulnerability. It occurs via the `mailingsearch` parameter. Recommendations: For versions prior to 8.5.0, update to version 8.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mailingsearch` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: HikaShop Joomla Component versions prior to 2.6.0 Description: The issue is related to a Cross-Site Scripting (XSS) vulnerability, which occurs when an injected payload is used. This allows for the execution of malicious scripts. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. Recommendations: For versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable components until the issue is resolved.