Description
Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.
Published: 2026-06-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JoomProject 1.1.3.2, a component for the Joomla content management system, has a flaw in its projects endpoint that leaks sensitive user data. The vulnerability allows attackers without any authentication to send a crafted request to index.php with certain query parameters, causing the component to return a JSON object that contains user IDs, names, and email addresses. This weakness is classified as CWE‑359, which denotes information disclosure due to improper access controls.

Affected Systems

The affected product is the JoomProject component for Joomla, version 1.1.3.2, released by Joomboost. No other Joomla add‑ons or core versions are listed as affected; however, any Joomla site that has this component installed and unchanged could be compromised.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. EPSS is not available, so the exact likelihood of exploitation is uncertain, but the lack of authentication requirements makes the attack vector straightforward for network‑based attackers. The flaw is not currently catalogued in the CISA KEV list, yet the ability to freely pull user credentials from any public Joomla installation still poses a significant risk to sites that rely on the component for project management.

Generated by OpenCVE AI on June 19, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JoomProject component to the latest version released by Joomboost that contains the fix for the information disclosure issue.
  • If a patch is not immediately available, configure Joomla’s Access Control List to deny anonymous and unauthenticated users from accessing the component’s projects view, thereby blocking the vulnerable endpoint.
  • Modify the site’s .htaccess or component settings to remove or limit access to index.php?option=com_jpprojects&view=projects&tmpl=component&format=json queries, ensuring that only authenticated users can request JSON responses.

Generated by OpenCVE AI on June 19, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.
Title Joomla! Component JoomProject 1.1.3.2 Information Disclosure
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:48:44.945Z

Reserved: 2026-06-19T14:33:52.614Z

Link: CVE-2019-25762

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor