VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 9, 2014· Updated May 6, 2026

CVE-2013-3081

CVE-2013-3081

Description

SQL injection vulnerability in the checkEmailFormat function in plugins/jojo_core/classes/Jojo.php in Jojo before 1.2.2 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header to /articles/test/.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Jojocms/Jojo CMS3 versions
    cpe:2.3:a:jojocms:jojo-cms:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:jojocms:jojo-cms:*:*:*:*:*:*:*:*range: <=1.2.1
    • cpe:2.3:a:jojocms:jojo-cms:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jojocms:jojo-cms:1.2:*:*:*:*:*:*:*
  • Jojocms/Jojollm-fuzzy
    Range: <1.2.2

Patches

Vulnerability mechanics

Root cause

"The application fails to sanitize the X-Forwarded-For HTTP header before using it in database operations, leading to SQL injection."

Attack vector

An attacker can trigger this vulnerability by sending a crafted HTTP request to the /articles/test/ endpoint. The malicious payload is injected into the X-Forwarded-For header, which is processed by the application without sufficient validation [CWE-89]. This allows the attacker to execute arbitrary SQL commands against the backend database [ref_id=1].

Affected code

The vulnerability is located in the getIp function within the file plugins/jojo_core/classes/Jojo.php [patch_id=4373308]. This function is responsible for retrieving the visitor's IP address from the X-Forwarded-For header [ref_id=1].

What the fix does

The patch modifies the getIp function in plugins/jojo_core/classes/Jojo.php to implement strict input validation [patch_id=4373308]. Instead of directly returning the value from the X-Forwarded-For header, the code now assigns the value to a variable and performs a regular expression check to ensure the IP address conforms to a valid IPv4 format [ref_id=1]. If the input does not match the expected pattern, the function returns false, preventing the injection of malicious SQL syntax [patch_id=4373308].

Preconditions

  • networkThe attacker must be able to send HTTP requests to the /articles/test/ endpoint.
  • inputThe attacker must be able to control the X-Forwarded-For HTTP header in the request.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to /articles/test/ with a malicious SQL payload contained within the X-Forwarded-For header [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.