Joomla! Component JoomCRM 1.1.1 SQL Injection via deal_id

An authenticated attacker sends a crafted GET request to `index.php?option=com_joomcrm&view=contacts&format=raw&loc=deal&tmpl=component` with a malicious `deal_id` parameter containing SQL injection payloads [ref_id=1]. Alternatively, a POST request to the events view with a crafted `association_id` parameter can also be used [ref_id=1]. The injected SQL is executed by the database backend, allowing the attacker to extract sensitive information such as database names and table schemas.

The vulnerability exists in the Joomla! JoomCRM component version 1.1.1. The `deal_id` parameter in the `index.php?option=com_joomcrm&view=contacts` endpoint is not sanitized before being used in SQL queries, and the `association_id` parameter in the events view is similarly vulnerable.

The advisory does not include a published patch. To remediate the vulnerability, the application must properly sanitize or parameterize the `deal_id` and `association_id` parameters before they are used in SQL queries. Without a fix, an attacker can continue to inject arbitrary SQL through these unsanitized input fields.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_joomcrm&view=contacts&format=raw&loc=deal&tmpl=component&deal_id=31%39%20A%4e%44...` (full URL-encoded payload shown in the exploit) [ref_id=1]. The server returns a 500 error, but the injected SQL has already executed against the database.