Dear customers
This morning, Fiona Coulter (VEL team members
vel.joomla.org
) contacted us to inform us about a security issue (SQL injection) with Events Booking extension. The detail of the issue can be found at
cxsecurity.com/issue/WLB-2016090190
.
After spending time to check the issue (using both the mentioned tool
sqlmap.org
and code review), we found that the issue
only affect Events Booking version 1.7.4 and older (1.7.4 was latest release in Events Booking 1.x.x series) -
not with version 2.10.1 as stated in the report.
One of the site which was used to test the security issue report is using Events Booking version 1.6.6, the other site (a dev site) is even using older version of Events Booking.
If you are using Events Booking 2.0.0+, you are not being affected by this issue. If you are using Events Booking 1.7.4 or older, please update to latest version of Events Booking ASAP.
If you could not afford to update to latest version, please make a backup of the file components/com_eventbooking/models/calendar.php, then unzip and upload this modified file to that folder to get the issue sorted
Regards,
Tuan
