Description
Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite parameter to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection flaw that allows attackers to inject arbitrary SQL code through the invite parameter, enabling the execution of malicious queries against the database. The vulnerability is accessible via a GET request and does not require any authentication, meaning that any external user can exploit it. If successful, an attacker could extract sensitive data or modify database contents, directly compromising the confidentiality of the site’s information.

Affected Systems

The affected product is the Survey Force Deluxe component developed by Joomplace, specifically version 3.2.4. No other versions or related products are listed as affected in the provided data, so only installations of this exact version face the identified risk.

Risk and Exploitability

The CVSS score of 8.8 denotes a high severity flaw, and although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the lack of authentication and the ability to issue arbitrary SQL commands make exploitation highly attractive for attackers. The likely attack vector is a remote HTTP request directed at the component’s invite endpoint, requiring only a crafted payload. Such exploitation could lead to full data disclosure or modification, posing a significant threat to organizational information security.

Generated by OpenCVE AI on June 19, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Survey Force Deluxe to the latest released version that removes the SQL injection issue.
  • If an upgrade is not immediately possible, restrict access to the component by disabling the invite parameter through access control settings or by removing the component entirely if it is no longer required.
  • Deploy web application firewall rules that detect and block SQL injection attempts targeting the invite parameter.
  • Continuously monitor database and web server logs for anomalous SQL queries that could indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomplace
Joomplace survey Force Deluxe
Vendors & Products Joomplace
Joomplace survey Force Deluxe

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite parameter to extract sensitive database information.
Title Joomla Survey Force Deluxe 3.2.4 SQL Injection via invite Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomplace Survey Force Deluxe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T02:10:51.696Z

Reserved: 2026-06-19T14:36:34.970Z

Link: CVE-2017-20256

cve-icon Vulnrichment

Updated: 2026-06-23T02:10:47.113Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:48Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')