Description
Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated SQL injection vulnerability exists in Joomla J2 JOBS 1.3.0 that allows attackers to inject SQL code via the ‘sortby’ parameter. By sending malicious POST requests to the administrator index, a logged‑in attacker can alter database queries and directly read sensitive data. The flaw is a classic instance of CWE‑89: SQL Injection, and its primary consequence is the leakage of confidential information from the database.

Affected Systems

The affected product is Joomsky’s J2 JOBS, version 1.3.0. No other products or sub‑versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but the vulnerability requires an authenticated administrator session. With EPSS data unavailable, the probability of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the Joomla backend; once authenticated, they can exploit the injection by crafting POST requests to the administration index. The risk is moderate to high for systems that expose the J2 JOBS backend to untrusted users or have weak access controls.

Generated by OpenCVE AI on May 13, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade J2 JOBS to a version that removes the vulnerable ‘sortby’ handling or applies the vendor’s patch if available.
  • If an upgrade is not possible, disable the ‘sortby’ parameter in the admin interface or apply a firewall rule to block POST requests containing this parameter from untrusted sources.
  • Restrict access to the Joomla administration panel to trusted IP addresses and enforce strong authentication methods such as two‑factor authentication.

Generated by OpenCVE AI on May 13, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky j2 Jobs
Vendors & Products Joomsky
Joomsky j2 Jobs

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information.
Title Joomla J2 JOBS 1.3.0 Authenticated SQL Injection via sortby
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomsky J2 Jobs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T15:58:22.982Z

Reserved: 2026-05-13T14:13:46.970Z

Link: CVE-2020-37224

cve-icon Vulnrichment

Updated: 2026-05-14T15:58:14.931Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:33.990

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:17Z

Weaknesses