CVE-2019-25761

Joomla! Component JoomCRM 1.1.1 SQL Injection via deal_id

CVSS 7.1 HIGHEPSS 0.2%CWE-89

Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the deal_id parameter. Attackers can send GET requests to index.php with option=com_joomcrm&view=contacts and inject SQL code in the deal_id parameter to extract sensitive database information including table names and schemas.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Joomboost · JoomCRM

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/46122unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://joomboost.com/https://extensions.joomla.org/extensions/extension/marketing/crm/joomcrm/https://www.exploit-db.com/exploits/46122 https://www.vulncheck.com/advisories/joomla-component-joomcrm-sql-injection-via-deal-id