Description
Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the sf_selectuser_id parameter. Attackers can send GET requests to index.php with the option=com_upl and view=propertylisting parameters to extract sensitive database information including table names and column structures.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled SQL injection in Joomla Ultimate Property Listing 1.0.2. By supplying a crafted value in the sf_selectuser_id GET parameter, an unauthenticated attacker can inject arbitrary SQL statements. This can lead to extraction of database contents, including table names, column definitions, and user credentials, thereby compromising confidentiality and possibly enabling further attack stages.

Affected Systems

The affected system is Faboba’s Ultimate Property Listing extension for Joomla, version 1.0.2. There is no evidence of additional affected versions or products in the supplied data.

Risk and Exploitability

With a CVSS score of 8.8, this is a high severity issue. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the nature of the flaw allows unauthenticated remote attackers to send HTTP GET requests to index.php with specific query parameters and exploit the injection. Successful exploitation can retrieve sensitive database information. The lack of patch status information suggests that the vulnerability is likely actively exploitable where the component remains deployed.

Generated by OpenCVE AI on June 19, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate Property Listing to the latest patched version or remove the component if no update exists.
  • Restrict direct access to the component by configuring Joomla ACL or web server rules to block the option=com_upl and view=propertylisting endpoints for unauthenticated users.
  • Keep Joomla core and all extensions updated, and validate any third‑party components for known vulnerabilities.

Generated by OpenCVE AI on June 19, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Faboba
Faboba ultimate Property Listing
Vendors & Products Faboba
Faboba ultimate Property Listing

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the sf_selectuser_id parameter. Attackers can send GET requests to index.php with the option=com_upl and view=propertylisting parameters to extract sensitive database information including table names and column structures.
Title Joomla Ultimate Property Listing 1.0.2 SQL Injection via sf_selectuser_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Faboba Ultimate Property Listing
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T19:41:07.897Z

Reserved: 2026-06-19T15:07:24.962Z

Link: CVE-2017-20272

cve-icon Vulnrichment

Updated: 2026-06-22T19:41:02.969Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:20Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')