EUVD-2025-18260

| CVE-2025-49468 HIGH
2025-06-13 [email protected]
8.6
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18260
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 10:15 nvd
HIGH 8.6

Tags

SQLi Joomla PHP

Description

A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.

Analysis

A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover.

Technical Context

The No Boss Calendar component for Joomla (a popular PHP-based content management system) fails to properly sanitize user input in the id_module parameter before incorporating it into SQL queries. This is a classic SQL injection vulnerability (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) where user-controlled input reaches a database query without parameterized statements or input validation. The vulnerability affects the component's backend module handling logic. The attack vector is network-based with low complexity, requiring only HTTP requests to the vulnerable Joomla installation. Although the CVSS vector indicates PR:H (high privilege requirement), this likely means admin or high-level component access is needed, which is obtainable for authenticated users with elevated roles within the Joomla system.

Affected Products

No Boss Calendar component for Joomla, versions before 5.0.7. Affected CPE string: cpe:2.3:a:no_boss:calendar:*:*:*:*:*:joomla:*:*. Specific vulnerable versions include all releases from initial availability through 5.0.6. Joomla 3.x, 4.x, and 5.x may be affected depending on component compatibility. The vulnerability is component-specific and requires the No Boss Calendar extension to be installed and enabled on a target Joomla instance.

Remediation

Immediate remediation: Update No Boss Calendar component to version 5.0.7 or later. Step-by-step: (1) Log in to Joomla administrator panel; (2) Navigate to Extensions > Manage > Manage; (3) Locate 'No Boss Calendar' extension; (4) Click Update if available, or remove the component and reinstall version 5.0.7+; (5) Test calendar functionality post-update. Workarounds for delayed patching: (1) Restrict admin access to trusted users only; (2) Implement network-level access controls limiting administrator backend access to specific IP ranges; (3) Disable the No Boss Calendar component if not actively used (Extensions > Manage > Manage, unpublish the component); (4) Monitor database logs for unusual SQL patterns. Long-term: Subscribe to Joomla security mailing lists and No Boss Calendar vendor advisories for future updates. Patch vendor advisory URL likely at No Boss Calendar's official repository or Joomla Extensions Directory (JED).

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +43
POC: 0

Share

EUVD-2025-18260 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy