CVE Catalog

CVE-2023-54357

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

26th percentile — higher than 26% of all known CVEs

Summary

The Joomla com_booking component version 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts. Attackers can exploit the getUserData function in the customer controller by sending appropriate GET requests.

Risk Assessment

This vulnerability may lead to the disclosure of personal user data, increasing the risk of phishing attacks and privacy breaches. Organizations may face a loss of trust from users.

Recommendation

It is recommended to update the com_booking component to the latest version to eliminate this vulnerability. Additionally, implementing access restrictions to functions that may disclose user data is advisable.

Original NVD description (English source)

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS