Impact
Joomla Survey Force Deluxe 3.2.4 contains an SQL injection flaw that allows attackers to inject arbitrary SQL code through the invite parameter, enabling the execution of malicious queries against the database. The vulnerability is accessible via a GET request and does not require any authentication, meaning that any external user can exploit it. If successful, an attacker could extract sensitive data or modify database contents, directly compromising the confidentiality of the site’s information.
Affected Systems
The affected product is the Survey Force Deluxe component developed by Joomplace, specifically version 3.2.4. No other versions or related products are listed as affected in the provided data, so only installations of this exact version face the identified risk.
Risk and Exploitability
The CVSS score of 8.8 denotes a high severity flaw, and although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the lack of authentication and the ability to issue arbitrary SQL commands make exploitation highly attractive for attackers. The likely attack vector is a remote HTTP request directed at the component’s invite endpoint, requiring only a crafted payload. Such exploitation could lead to full data disclosure or modification, posing a significant threat to organizational information security.
OpenCVE Enrichment