TOPIC:

VEL=Vulnerable Extensions List!

Hi there

What about Jem 3.0.7, has it the same security issues ??

@znort

What about Jem 3.0.7, has it the same security issues ??

actually it's 1 problem but a package should be created there too. But JEM 3.x is not for public release here at the site. will create a package later at Github.


ah well as it's already in the open air i guess it doesn't heart to tell what's going on and how you can change things.

Someone did report 2 problems:
- 1 with the default allowed attachment-types (Settings->Global Parameters-> setting "default parameters")
the thing is that the default setting did allow attachments as html/php etc. But actually it's a setting and a admin should always check the needed settings. It's now changed and the default won't allow it anymore.

- the second one is more complicated.
It's about the myevents-view and then function publish and someone needs to be logged in.
file: components/com_jem/models/myevents

To see the needed changes you can take a peak over here:
github.com/jemproject/JEM-Project/commit...72ce42d595f7ca7299ae
it's now using code that Joomla is also using for the publish function.

VEL says now the problem is solved. See
vel.joomla.org/resolved/1733-event-manag...-1-4-and-below-other

now it's on JED to put us back on list.

I just tried to download JEM 2.1.4.2 "pkg_jem_v2.1.4.2.zip". Doing this Google Chrome gives the error: ".. ist ein ungewöhnlicher Download und könnte schädlich sein."

Please clarify that the download is not compromised.

Thank you
HaPott

Hi HaPott,

I just downloaded the file from www.joomlaeventmanager.net/download (with Firefox). It's exactly the package I produced. Also my virus scanner hadn't found any problem.

So I don't know what's Chrome's problem is.

Just to ensure we talk about the same file (excluding a "man in the middle"):
SHA-1: e7ae87fcc4103d24b78b58f594b82c55069f7228
MD5: d4cf590a888b54e00bd6fbb39fc2bf0b