Joomla! Component Twitch Tv 1.1 SQL Injection
Description
Joomla! Component Twitch Tv 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username and id parameters. Attackers can send GET requests to index.php with option=com_twitchtv and view parameters containing SQL injection payloads to extract sensitive database information including credentials and configuration data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the `username` and `id` parameters allows unauthenticated SQL injection."
Attack vector
An unauthenticated attacker sends crafted GET requests to `index.php` with `option=com_twitchtv` and either `view=twitch&username=[SQL]` or `view=gamecenter&id=[SQL]`. The component fails to sanitize the `username` and `id` parameters before using them in database queries, allowing SQL injection payloads to be appended. By injecting stacked queries or UNION-based subqueries, the attacker can extract arbitrary data from the database. The exploit-db entry demonstrates payloads that retrieve database names, table schemas, and other sensitive information [ref_id=1].
What the fix does
The advisory does not include a patch diff or vendor fix. The recommended remediation is to implement proper input validation and parameterized queries (prepared statements) for the `username` and `id` parameters in the Twitch Tv component. Without a published fix, administrators should disable or remove the component until a patched version is released.
Preconditions
- configThe Joomla! Twitch Tv 1.1 component must be installed and enabled.
- authNo authentication is required; the attack is performed over HTTP GET requests.
- networkThe attacker must be able to reach the Joomla! instance over the network.
- inputThe attacker supplies malicious SQL payloads in the `username` or `id` GET parameters.
Reproduction
Visit `http://localhost/[PATH]/index.php?option=com_twitchtv&view=twitch&username=gobgg'++aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((sELECT(sELECT+/*!22223CONCAT*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+aNd+''='` to trigger the SQL injection and retrieve database information [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/42493mitreexploit
- www.vulncheck.com/advisories/joomla-component-twitch-tv-sql-injectionmitrethird-party-advisory
- www.raindropsinfotech.commitreproduct
- extensions.joomla.org/extensions/extension/sports-a-games/game-servers/twitch-tv-component/mitreproduct
News mentions
0No linked articles in our index yet.