False security report on Tag Meta Community 1.7.6

On May 4, 2017 we get a message from Joomla Vulnerable Extensions list (VEL) reporting the following security issue about Tag Meta Community 1.7.6:


This report has the following references:



According to these reports, Tag Meta is affected by a SQL Injection bug, and also a Proof Of Concept (PoC) is provided:

PoC: Exploitation
http://localhost:8080/[PATH]/index.php?option=com_tag&task=tag&tag=-`[SQL-Injection Vulnerability!]--

This vulnerabilty is, indeed, related to another extension named Joomla Tag and already reported here in the far 2012:


It seems that someone just "revived" the issue, but associated it with Tag Meta (com_tagmeta), probably because in the meanwhile Joomla Tag (com_tag) doesn't exist anymore.

Moreover, Tag Meta doesn't have a frontend view, so it could NOT be hacked as described in the PoC. And the VEL Team has already verified the information provided and Tag Meta is resulted CLEAN & SAFE.