Description
Joomla! Component JB Visa 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the visatype parameter. Attackers can send GET requests to index.php with the option=com_bookpro and view=popup parameters, injecting SQL commands in the visatype parameter to extract sensitive database information including credentials and table contents.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla! Component JB Visa 1.0 allows unauthenticated attackers to inject arbitrary SQL through the visatype parameter sent in a GET request to the component’s popup view. This flaw lets an attacker read sensitive database contents, including user credentials, by executing crafted SQL statements. The impact is primarily data exposure and potential credential compromise. The vulnerability is classified as a high‑severity SQL injection (CWE‑89) with a CVSS score of 8.8.

Affected Systems

The affected product is Joombooking’s JB Visa component, version 1.0. No other versions or editions are listed in the defect data.

Risk and Exploitability

The vulnerability requires no authentication and is reachable through a public web request, making it trivial for attackers to target any site that has the component installed. Although the EPSS score is not available, the high CVSS score indicates that exploitation is likely to result in significant damage. The flaw is not currently listed in the CISA KEV catalog, but exploit code exists on exploit‑db, suggesting that the risk to exposed sites is real.

Generated by OpenCVE AI on June 19, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JB Visa component to a patched or supported version if one is available.
  • If a patch is not available, disable or remove the JB Visa component from the site to eliminate the injection surface.
  • Restrict access to the popup view or the entire component through a firewall or access list, ensuring only authenticated users can reach it.
  • Implement input validation and parameterized queries in the component to address the underlying CWE‑89 weakness.

Generated by OpenCVE AI on June 19, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Joombooking
Joombooking jb Visa
Vendors & Products Joombooking
Joombooking jb Visa

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component JB Visa 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the visatype parameter. Attackers can send GET requests to index.php with the option=com_bookpro and view=popup parameters, injecting SQL commands in the visatype parameter to extract sensitive database information including credentials and table contents.
Title Joomla! Component JB Visa 1.0 SQL Injection via visatype
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joombooking Jb Visa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T14:33:19.635Z

Reserved: 2026-06-19T14:36:09.404Z

Link: CVE-2017-20255

cve-icon Vulnrichment

Updated: 2026-06-22T14:33:15.558Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:46Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')