Description
Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the deal_id parameter. Attackers can send GET requests to index.php with option=com_joomcrm&view=contacts and inject SQL code in the deal_id parameter to extract sensitive database information including table names and schemas.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JoomCRM 1.1.1 contains an SQL injection flaw that allows an authenticated attacker to manipulate the deal_id parameter in a GET request, enabling the execution of arbitrary SQL statements. This can lead to the extraction of sensitive data such as table names, database schemas, and potentially other confidential information. The weakness is a classic input validation failure mapped to CWE-89.

Affected Systems

The vulnerability affects the Joomboost JoomCRM component for Joomla, specifically version 1.1.1. The component is deployed within a Joomla! site and relies on the Joomla authentication system to control access to the vulnerable endpoint.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity with medium impact on confidentiality and integrity, but no availability impact is noted. The EPSS score is not available, suggesting no readily available public exploitation statistics, and the flaw is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to be authenticated to the Joomla site; an attacker with valid credentials can craft a GET request to index.php?option=com_joomcrm&view=contacts&deal_id=… to inject and execute malicious SQL queries.

Generated by OpenCVE AI on June 19, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JoomCRM to the latest version or apply the vendor’s official patch if available.
  • If an immediate patch is unavailable, disable the JoomCRM component or restrict its access to only the most trusted user groups within Joomla.
  • Consider isolating the Joomla database or applying database-level access controls to limit the privileges of the Joomla user account used by the component.

Generated by OpenCVE AI on June 19, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the deal_id parameter. Attackers can send GET requests to index.php with option=com_joomcrm&view=contacts and inject SQL code in the deal_id parameter to extract sensitive database information including table names and schemas.
Title Joomla! Component JoomCRM 1.1.1 SQL Injection via deal_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:45:23.204Z

Reserved: 2026-06-19T14:32:28.626Z

Link: CVE-2019-25761

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')