Joomla J-CruisePortal 6.0.4 SQL Injection via cruises

An authenticated attacker sends a crafted POST request to the `/cruises/cruises` endpoint with a malicious SQL payload injected into the `guest_adult` parameter. The payload uses URL-encoded comment and sleep directives (e.g., `2 /*!11111anD*/ sleep(5)`) to manipulate the SQL query executed by the J-CruisePortal component. Because the application fails to sanitize or parameterize the `guest_adult` input, the injected SQL is executed against the database, allowing the attacker to extract sensitive data or alter records. The exploit requires prior authentication, as indicated by the session cookies in the PoC request. [ref_id=1]

The advisory does not include a published patch. To remediate the vulnerability, the application must properly sanitize or parameterize the `guest_adult` parameter (and all other user-supplied inputs) before including them in SQL queries. Using prepared statements or parameterized queries would prevent injected SQL from being interpreted as executable code. Without such input validation, the component remains vulnerable to SQL injection attacks. [ref_id=1]

Send a POST request to `http://TARGET/[PATH]/cruises/cruises` with the body containing `controller=search&task=searchCruises&guest_adult=2%20%20%2f%2a%21%31%31%31%31%31%61%6e%44%2a%2f%20%73%6c%65%65%70%28%35%29` (which decodes to `2 /*!11111anD*/ sleep(5)`) along with the required session cookies. If the application delays its response by approximately 5 seconds, the SQL injection is confirmed. [ref_id=1]