Impact
The vulnerability is an uncontrolled SQL injection in Joomla Ultimate Property Listing 1.0.2. By supplying a crafted value in the sf_selectuser_id GET parameter, an unauthenticated attacker can inject arbitrary SQL statements. This can lead to extraction of database contents, including table names, column definitions, and user credentials, thereby compromising confidentiality and possibly enabling further attack stages.
Affected Systems
The affected system is Faboba’s Ultimate Property Listing extension for Joomla, version 1.0.2. There is no evidence of additional affected versions or products in the supplied data.
Risk and Exploitability
With a CVSS score of 8.8, this is a high severity issue. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the nature of the flaw allows unauthenticated remote attackers to send HTTP GET requests to index.php with specific query parameters and exploit the injection. Successful exploitation can retrieve sensitive database information. The lack of patch status information suggests that the vulnerability is likely actively exploitable where the component remains deployed.
OpenCVE Enrichment