Joomla! Component JB Visa 1.0 SQL Injection via visatype
Description
Joomla! Component JB Visa 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the visatype parameter. Attackers can send GET requests to index.php with the option=com_bookpro and view=popup parameters, injecting SQL commands in the visatype parameter to extract sensitive database information including credentials and table contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of parameterized queries in the `visatype` parameter allow SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to the Joomla! instance at `index.php` with parameters `option=com_bookpro`, `view=popup`, and a malicious `visatype` value containing SQL commands [ref_id=1]. The payload uses a stacked query technique with `AND (SELECT ... FROM INFORMATION_SCHEMA ...)` to extract database contents such as the database name and table schema. Because no authentication is required and the parameter is directly injected into a SQL query, the attack vector is a classic SQL injection (CWE-89) over HTTP.
Affected code
The vulnerability resides in the JB Visa 1.0 Joomla! component, specifically in the handling of the `visatype` parameter passed via GET requests to `index.php?option=com_bookpro&view=popup`. The component fails to sanitize or parameterize user input in the `visatype` parameter before using it in SQL queries, leading to SQL injection [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to implement parameterized queries or prepared statements for the `visatype` parameter and validate that its value matches an expected type (e.g., an integer or a whitelisted string) before using it in a SQL query. Without a published fix, administrators should disable or remove the vulnerable component until a patched version is released.
Preconditions
- configThe Joomla! instance must have the JB Visa 1.0 component installed and enabled.
- authNo authentication is required; the attacker can reach the vulnerable endpoint over HTTP.
- networkThe attacker must be able to send HTTP GET requests to the Joomla! web server.
- inputThe attacker controls the `visatype` GET parameter value.
Reproduction
Send a GET request to `http://localhost/[PATH]/index.php?option=com_bookpro&view=popup&visatype=259999%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*)%2cCONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e%2c0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200%2c1)%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)` [ref_id=1]. The injected SQL extracts the database name and other schema information, confirming the injection.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/43350mitreexploit
- www.vulncheck.com/advisories/joomla-component-jb-visa-sql-injection-via-visatypemitrethird-party-advisory
- joombooking.commitreproduct
- extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jb-visa/mitreproduct
News mentions
0No linked articles in our index yet.