Impact
The vulnerability is a classic SQL injection flaw in the AcyMailing extension for Joomla, affecting all releases before version 10.11.1. By sending specially crafted queries, an attacker can insert arbitrary SQL statements that are executed against the site’s database. This can result in reading, modifying, or deleting sensitive data, and is classified as CWE-89. The high CVSS score of 9.2 indicates a severe impact if the flaw is successfully exploited.
Affected Systems
All installations of the AcyMailing extension for Joomla supplied by acymailing.com running a version earlier than 10.11.1 are susceptible. No other products or vendor versions are explicitly listed as affected in the CVE data.
Risk and Exploitability
The CVSS score of 9.2 reflects a critical threat level, and while the EPSS score is not available, the absence of a CISA KEV listing does not lower the risk profile. The likely attack vector is remote, through the web interface of the affected Joomla site, where unfiltered input is accepted by the AcyMailing component. Without mitigation, an attacker could gain full read access to the database and potentially modify or delete records.
OpenCVE Enrichment