CVE-2018-25330

Joomla! EkRishta 2.10 Persistent XSS and SQL Injection

CVSS 8.8 HIGHEPSS 0.3%CWE-89

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Joomlaextensions · Joomla! extension EkRishta

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/44660unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/https://www.exploit-db.com/exploits/44660 https://www.joomlaextensions.co.in/https://www.vulncheck.com/advisories/joomla-ekrishta-persistent-xss-and-sql-injection