Impact
The Joomla! Component Quiz Deluxe is affected by an unauthenticated SQL injection flaw in version 3.7.4. The vulnerability resides in the ajaxaction.flag_question task and can be triggered by sending crafted values to the stu_quiz_id or flag_quest parameters. Attackers may inject arbitrary SQL code, allowing them to read, modify, or delete data within the Joomla! database.
Affected Systems
Affected systems include sites running Joomplace's Quiz Deluxe component version 3.7.4. The issue is specific to this component and version; newer or other versions are not known to be vulnerable.
Risk and Exploitability
The CVSS score of 8.8 classifies this as a high severity issue, and the lack of an EPSS score means the exploitation probability is unknown but the vulnerability can be readily exploited by unauthenticated users over the network. It is not listed in the CISA KEV catalog. Attackers likely exploit this by making simple HTTP requests to the exposed endpoint.
OpenCVE Enrichment