Joomla! Component Price Alert 3.0.2 SQL Injection

An unauthenticated attacker sends a crafted HTTP GET request to the Joomla! instance targeting the `com_price_alert` component's `subscribeajax` view. The `product_id` parameter is injected with SQL payloads, such as stacked queries or blind injection constructs, which are executed by the database backend. The exploit-db proof-of-concept demonstrates using `AND`, `SELECT`, `FROM`, and `CONCAT` operators to extract database contents [ref_id=1]. This allows the attacker to retrieve sensitive information including database credentials and configuration data without requiring any prior authentication.

The vulnerability exists in the Joomla! Price Alert component version 3.0.2, specifically in the `subscribeajax` view. The `product_id` parameter is passed directly into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL commands through the `index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=[SQL]` endpoint [ref_id=1].

The advisory does not include a patch diff. The recommended remediation is to ensure that the `product_id` parameter is properly sanitized or parameterized before being used in SQL queries. Without a published fix, users should upgrade to a patched version of the Price Alert component if one becomes available, or apply input validation and prepared statements to the affected `subscribeajax` view.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=64+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1` [ref_id=1].