Patch Joomla SecurityCheck

If you use the SecurityCheck security plug-in for Joomla, it's time for an upgrade.

The ADEO Security Team posted cross-site scripting (XSS) and SQL injection vulnerabilities (with proof-of-concept) to Full Disclosure.

Both of the vulnerabilities are only exploitable when the admin is logged into a Joomla site.

The XSS vulnerability allows an attacker to add a new admin to a Joomla site, while the “real” admin is checking the SecurityCheck logs.

The SQL injection bug lets an attacker steal the admin's session ID, if the attacker is online.

Both have been patched in the latest version of the extension, here. ®