Joomla! Component Quiz Deluxe 3.7.4 SQL Injection
Description
Joomla! Component Quiz Deluxe 3.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the ajaxaction.flag_question task. Attackers can inject malicious SQL code via the stu_quiz_id or flag_quest parameters to manipulate database queries and extract sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =3.7.4
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the ajaxaction.flag_question task allows SQL injection via the stu_quiz_id and flag_quest parameters."
Attack vector
An unauthenticated attacker sends an HTTP GET request to the Joomla! application with `option=com_joomlaquiz`, `task=ajaxaction.flag_question`, and `tmpl=component`, injecting SQL metacharacters into either the `stu_quiz_id` or `flag_quest` parameter [ref_id=1]. The injected SQL is executed against the database, enabling data extraction or modification. No authentication or special privileges are required.
Affected code
The vulnerability resides in the `ajaxaction.flag_question` task of the Joomla! Quiz Deluxe component (version 3.7.4). The `stu_quiz_id` and `flag_quest` parameters are passed directly into SQL queries without sanitization, allowing injection of arbitrary SQL commands.
What the fix does
The advisory does not provide a patch or vendor fix. To remediate, the application must validate and sanitize all user-supplied input to the `stu_quiz_id` and `flag_quest` parameters, preferably using parameterized queries or prepared statements to prevent SQL injection. Without a published fix, users should disable or remove the component until a patched version is available.
Preconditions
- configThe Joomla! Quiz Deluxe component (version 3.7.4) must be installed and enabled.
- networkThe attacker must be able to send HTTP requests to the Joomla! instance (no authentication required).
- inputThe attacker supplies SQL metacharacters in the `stu_quiz_id` or `flag_quest` GET parameters.
Reproduction
Send a GET request to `http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL]` or `http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL]`, replacing `[SQL]` with a malicious SQL payload [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/42589mitreexploit
- www.vulncheck.com/advisories/joomla-component-quiz-deluxe-sql-injectionmitrethird-party-advisory
- joomplace.commitreproduct
- extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/mitreproduct
News mentions
0No linked articles in our index yet.