CVE-2023-54357
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
The Joomla com_booking component version 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts. Attackers can exploit the getUserData function in the customer controller by sending appropriate GET requests.
Risk Assessment
This vulnerability may lead to the disclosure of personal user data, increasing the risk of phishing attacks and privacy breaches. Organizations may face a loss of trust from users.
Recommendation
It is recommended to update the com_booking component to the latest version to eliminate this vulnerability. Additionally, implementing access restrictions to functions that may disclose user data is advisable.
Original NVD description (English source)
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

