CVE-2018-6604
Description
SQL injection in Zh YandexMap 6.2.1.0 for Joomla! via the id parameter allows remote attackers to execute arbitrary SQL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Zh YandexMap 6.2.1.0 for Joomla! via the id parameter allows remote attackers to execute arbitrary SQL.
Vulnerability
The Zh YandexMap component version 6.2.1.0 for Joomla! contains a SQL injection vulnerability in the handling of the id parameter during a task=getPlacemarkDetails request. The component fails to properly sanitize user-supplied input before using it in SQL queries. This affects installations running the Zh YandexMap extension version 6.2.1.0 [1].
Exploitation
An attacker can exploit this vulnerability by sending an HTTP request to the Joomla! instance with a crafted id parameter value injected with SQL syntax, such as a UNION-based select to extract data. No authentication is required; the attack can be performed remotely over the network. The request is typically of the form ?option=com_zhyandexmap&task=getPlacemarkDetails&id=[SQLi] [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to disclosure of sensitive information, including usernames, password hashes, and other Joomla! data. Full database compromise is possible, potentially leading to further server-side attacks [1].
Mitigation
The vendor has not released a fixed version for Zh YandexMap 6.2.1.0 as of the publication date. Users should disable or uninstall the component until a patch is available. The extension may be abandoned as the vendor site appears inactive. No workaround other than removal is known [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =6.2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `id` parameter in the `getPlacemarkDetails()` function allows SQL injection."
Attack vector
An attacker sends a POST request to `index.php?option=com_zhyandexmap&no_html=1&format=raw&task=getPlacemarkDetails` with a crafted `id` parameter containing SQL injection payloads [ref_id=1]. The `id` parameter is passed unsanitized into a SQL query, allowing the attacker to extract arbitrary data from the database. The exploit uses a UNION-based injection technique with MySQL comment syntax to bypass restrictions and enumerate table names from `INFORMATION_SCHEMA` [ref_id=1]. No authentication is required; the attacker only needs network access to the Joomla! instance.
Affected code
The vulnerable component is `com_zhyandexmap` for Joomla! version 6.2.1.0. The exploit references `controller.php` and specifically the `getPlacemarkDetails()` function at line 29, which processes the `id` parameter without proper sanitization [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not provide remediation guidance beyond the disclosure of the vulnerability [ref_id=1]. To fix this issue, the application should use prepared statements or parameterized queries when handling the `id` parameter in the `getPlacemarkDetails()` function, and validate that the input is an expected type (e.g., integer) before use in a SQL query.
Preconditions
- configThe Joomla! instance must have the Zh YandexMap 6.2.1.0 component installed and enabled.
- networkThe attacker must be able to send HTTP POST requests to the Joomla! site.
- authNo authentication is required; the vulnerable endpoint is publicly accessible.
- inputThe attacker supplies a malicious 'id' parameter value containing SQL injection syntax.
Reproduction
1. Identify a Joomla! site running the Zh YandexMap component version 6.2.1.0. 2. Send a POST request to `http://target/[PATH]/index.php?option=com_zhyandexmap&no_html=1&format=raw&task=getPlacemarkDetails` with the `id` parameter set to a UNION-based SQL injection payload, such as: `-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((...))--` [ref_id=1]. 3. Observe the response, which will include extracted database information (e.g., table names) injected into the output.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/43975/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.