On 5th July I was made aware that a potential vulnerability to SQL injections on frontend views of JPodium was found out. I investigated this immediately and got in contact with other Joomla! developers. Be assured: there is no SQL injection possible on any of the frontend views. No SQL queries are created based on user input or on unfiltered URL parameters.

The report can be found here. I was also contacted by the webmaster of the German website joomlakom after he published a report. There he confirms that the parameter in question (ItemID) is not used in any database query. Please read the report here.

During the investigation some other issues on the backend were identified. This is mainly incomplete implementation of token checking. This will be taken care of in the next update. To absolutely avoid any risks at all it is recommended to not have other websites open while being logged-in in the backend.