Description
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
Published: 2026-06-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla! com_booking component version 2.4.9 has a flaw that allows an attacker without authentication to discover registered user names, usernames, and email addresses by sending specially crafted GET requests. The vulnerability lies in the getUserData function of the customer controller and leads to the leakage of personally identifiable information, which can be leveraged for phishing or further attacks.

Affected Systems

The affected product is Artio's Joomla! com_booking component, specifically version 2.4.9. No other versions are listed as impacted in the available data.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity vulnerability. Exploitation requires only that the attacker send a GET request to the component; authentication is not needed, so the vector is external via the network. EPSS data is unavailable, but the lack of KEV listing does not diminish the potential damage. Attackers can perform brute‑force enumeration over the vulnerable endpoint, potentially exposing large numbers of accounts in a short time.

Generated by OpenCVE AI on June 19, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the com_booking component to version 2.4.10 or later.
  • If an upgrade is not immediately feasible, disable or restrict the getUserData interface by blocking the GET request pattern via web server configuration (e.g., .htaccess or firewall rules).
  • Restrict unauthenticated access to the component by configuring user permissions or using a Web Application Firewall to filter enumeration attempts.

Generated by OpenCVE AI on June 19, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
Title Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:52:06.684Z

Reserved: 2026-01-10T01:51:52.988Z

Link: CVE-2023-54357

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses