Impact
The component contains a SQL injection in the displayads function, enabling an unauthenticated attacker to inject arbitrary SQL through the categorySearch, adType, and citySearch POST parameters. Successful exploitation would allow the attacker to retrieve sensitive database contents such as usernames, database names, and version information, thereby compromising the confidentiality of the Joomla site's data.
Affected Systems
Joomla Component J-ClassifiedsManager from Cmsjunkie, version 3.0.5, deployed on Joomla sites. The vulnerability exists in the public displayads interface exposed to all users.
Risk and Exploitability
The CVSS score of 8.8 reflects a significant danger; the vulnerability is exploitable remotely via normal HTTP POST requests, requiring no authentication. The EPSS score is not publicly available, and KEV does not list it, so there is no current evidence of widespread exploitation, but the high CVSS suggests a serious risk if the vulnerability remains unpatched.
OpenCVE Enrichment