CVE Catalog

CVE-2017-20260

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

The Joomla! Component Price Alert version 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data.

Risk Assessment

This vulnerability poses a serious risk to the organization's data security, allowing attackers to access confidential information. It may lead to data breaches and loss of customer trust.

Recommendation

It is recommended to update the Joomla! Price Alert component to the latest version to eliminate this vulnerability. Additionally, implementing input validation and monitoring database activity is advisable.

Original NVD description (English source)

Joomla! Component Price Alert 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS