CVE-2019-25757
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Joomla vWishlist version 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names.
Risk Assessment
This vulnerability may lead to the disclosure of sensitive database information, posing a serious threat to the organization's security. It allows attackers to access critical data, which could result in further attacks or privacy breaches.
Recommendation
It is recommended to update Joomla vWishlist to the latest version that addresses this vulnerability. Additionally, implementing extra security measures, such as restricting access to the component only for trusted users, is advisable.
Original NVD description (English source)
Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these parameters to extract sensitive database information including version and database names.

