CVE-2018-6395

An attacker sends a crafted HTTP GET request to the Joomla! instance with `option=com_visualcalendar`, `view=load`, and a malicious `id` parameter [ref_id=1]. The `id` parameter is vulnerable to boolean-based blind, time-based blind, and UNION query injection techniques [ref_id=1]. No authentication is required; the attacker only needs network access to the web application.

The vulnerable component is Visual Calendar 3.1.3 for Joomla!. The SQL injection occurs in the view=load action, where the `id` GET parameter is passed unsanitized into a database query [ref_id=1]. The specific file or function within the component is not identified in the advisory.

No patch or official fix is published in the provided bundle. The advisory does not include a vendor patch or remediation guidance. Users should apply input validation and parameterized queries to the `id` parameter in the view=load action, or contact the vendor for an updated version.

1. Identify a Joomla! site running Visual Calendar 3.1.3. 2. Send a GET request to `http://localhost/[PATH]/index.php?option=com_visualcalendar&view=load&id=[SQL]` where `[SQL]` is a malicious payload. 3. Example payloads from the exploit [ref_id=1]: - Boolean-based blind: `id=1 AND 2616=2616` - Time-based blind: `id=1 AND SLEEP(5)` - UNION query: `id=1 UNION ALL SELECT CONCAT(0x716a627a71,...),NULL,NULL,NULL,NULL,NULL-- QpYd`