Description
Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.
Published: 2026-06-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JoomProject 1.1.3.2, a component for the Joomla content management system, has a flaw in its projects endpoint that leaks sensitive user data. The vulnerability allows attackers without any authentication to send a crafted request to index.php with certain query parameters, causing the component to return a JSON object that contains user IDs, names, and email addresses. This weakness is classified as CWE‑359, which denotes information disclosure due to improper access controls.

Affected Systems

The affected product is the JoomProject component for Joomla, version 1.1.3.2, released by Joomboost. No other Joomla add‑ons or core versions are listed as affected; however, any Joomla site that has this component installed and unchanged could be compromised.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. EPSS is not available, so the exact likelihood of exploitation is uncertain, but the lack of authentication requirements makes the attack vector straightforward for network‑based attackers. The flaw is not currently catalogued in the CISA KEV list, yet the ability to freely pull user credentials from any public Joomla installation still poses a significant risk to sites that rely on the component for project management.

Generated by OpenCVE AI on June 19, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JoomProject component to the latest version released by Joomboost that contains the fix for the information disclosure issue.
  • If a patch is not immediately available, configure Joomla’s Access Control List to deny anonymous and unauthenticated users from accessing the component’s projects view, thereby blocking the vulnerable endpoint.
  • Modify the site’s .htaccess or component settings to remove or limit access to index.php?option=com_jpprojects&view=projects&tmpl=component&format=json queries, ensuring that only authenticated users can request JSON responses.

Generated by OpenCVE AI on June 19, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomboost
Joomboost joomproject
Vendors & Products Joomboost
Joomboost joomproject

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.
Title Joomla! Component JoomProject 1.1.3.2 Information Disclosure
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomboost Joomproject
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T14:09:04.210Z

Reserved: 2026-06-19T14:33:52.614Z

Link: CVE-2019-25762

cve-icon Vulnrichment

Updated: 2026-06-22T14:08:57.434Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:43Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor