VYPR
← All advisories
High severity8.2NVD Advisory· Published May 23, 2026· Updated May 26, 2026

CVE-2018-25351

CVE-2018-25351

Description

Joomla! Component EkRishta 2.10 is vulnerable to unauthenticated error-based SQL injection via the username parameter, allowing database extraction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joomla! Component EkRishta 2.10 is vulnerable to unauthenticated error-based SQL injection via the username parameter, allowing database extraction.

Vulnerability

Joomla! Component EkRishta version 2.10 contains an error-based SQL injection vulnerability in the login functionality. The username parameter is not properly sanitized before being used in SQL queries. An unauthenticated attacker can inject malicious SQL code via POST requests to the /index.php/login/sign-in endpoint. The vulnerability is confirmed in version 2.10 and likely affects earlier versions as well [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the login endpoint with a malicious payload in the username field. No authentication is required. The exploit uses error-based techniques, such as extractvalue(), to extract database information. The PoC payload 1' AND extractvalue(1,concat(0x3a,user(),0x3a))# triggers an XPATH syntax error that reveals the database user in the response [1]. The attacker can modify the payload to extract other data like credentials and system details.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. This can lead to disclosure of sensitive information, including user credentials and system details. The CVSS v3 score is 8.2 (High), indicating significant confidentiality impact. The attacker does not gain direct remote code execution but can potentially escalate privileges using extracted credentials [2].

Mitigation

As of the available references, no official patch has been released for this vulnerability. The component EkRishta version 2.10 is affected, and the vendor may have discontinued support. Users are advised to remove or replace the component with a secure alternative. The vulnerability is listed in the Exploit Database (EDB-ID 44877) [1] and tracked by VulnCheck [2]. No workaround is provided.

References
  1. OffSec’s Exploit Database Archive
  2. Joomla! Component EkRishta 2.10 SQL Injection via username

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the username parameter allows SQL injection into the login query."

Attack vector

An unauthenticated attacker sends a POST request to `/ekrishta/index.php/login/sign-in` with a malicious `username` parameter containing an error-based SQL injection payload [ref_id=1]. The payload `1' AND extractvalue(1,concat(0x3a,user(),0x3a))#` closes the SQL string and injects an `extractvalue()` function that triggers an XPATH syntax error, causing the database to return the result of the injected expression (e.g., the database user) in the error message [ref_id=1]. No authentication or special privileges are required; the attacker only needs network access to the Joomla! instance.

Affected code

The vulnerability exists in the login component of Joomla! EkRishta 2.10. The `username` parameter processed by the `check_login` task in `com_ekrishta` is passed unsanitized into a SQL query, as shown by the error response revealing the query: `select * from #__users where username='1' AND extractvalue(1,concat(0x3a,user(),0x3a))#'` [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor. To close this vulnerability, the application must properly sanitize or parameterize the `username` input before including it in SQL queries, preventing injected SQL from being interpreted as part of the query structure.

Preconditions

  • networkThe attacker must be able to reach the Joomla! instance over the network.
  • authNo authentication is required; the login endpoint is publicly accessible.
  • inputThe attacker submits a crafted POST request with a SQL injection payload in the username field.

Reproduction

1. Send a POST request to `http://joomlaextension.biz/ekrishta/index.php/login/sign-in` with the body: `username=1' AND extractvalue(1,concat(0x3a,user(),0x3a))#&passwd=test&Submit=Log+in+to+your+account&Itemid=117&option=com_ekrishta&view=alluser&task=check_login&lid=loginuser&return=L2VrcmlzaHRhL2luZGV4LnBocC9sb2dpbi9zaWduLWlu&bac2b97217cd995b069b5b0bc198de1c=1` [ref_id=1]. 2. Observe the server responds with HTTP 500 and an error message such as `XPATH syntax error: ':harmiste_rishtaa@localhost:'` revealing the database user [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.