Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Tuesday, 24 May 2022 09:18 CDT
I'm a huge fan and customer for a long time and thought I would suggest a new feature.
Since Joomla releases the Vulnerable Extensions webpage
https://extensions.joomla.org/vulnerable-extensions/vulnerable/?start=40
would it be easy to implement a scanner that looks for these extensions and notifies you they are installed and vulnerable?
That list is not provided in anything that even remotely resembles a machine readable format.
First of all, there extension name matches neither the extension name in the menu nor the the extension code (something like com_example, plg_system_whatever and so on).
There is no consistent reporting of the vulnerable version.
While they claim to move patched issues to the resolved list they don't actually do that consistently. For example: https://extensions.joomla.org/vulnerable-extensions/vulnerable/akeeba/ This is an issue that has been fixed WELL OVER A DECADE AGO (April 9th 2011 — not a typo, I really mean twenty eleven!). This is still not moved into the resolved list — not to mention it was only added to VEL two years after we had already fixed it to begin with...
I am also not sure at all that the list is reliable. I know that there are at least two security issues we have fixed in our software since 2011 which are not listed in either of their lists.
Given these problems you can't use the information of the VEL to create a vulnerable extensions scanner. It's something we would really want to do, it's been on our radar ever since VEL existed, it's just not possible.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!