Joomla! Component JoomProject 1.1.3.2 Information Disclosure
Description
Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =1.1.3.2
Patches
Vulnerability mechanics
Root cause
"The projects endpoint lacks authentication and authorization checks, allowing unauthenticated access to user data."
Attack vector
An unauthenticated attacker sends an HTTP GET request to the Joomla! instance with the query string `option=com_jpprojects&view=projects&tmpl=component&format=json`. The component responds with a JSON payload containing user IDs, names, and email addresses. No authentication or session token is required, making the attack trivially exploitable from any network that can reach the web server [ref_id=1].
Affected code
The Joomla! component JoomProject 1.1.3.2 exposes the `index.php?option=com_jpprojects&view=projects&tmpl=component&format=json` endpoint without access control. This endpoint returns a JSON array containing user records that include `id`, `author_name`, and `author_email` fields [ref_id=1].
What the fix does
The advisory does not include a published patch. To remediate the vulnerability, the component must enforce authentication and authorization checks on the `projects` view before returning user data. Without such controls, any visitor can enumerate registered users by requesting the JSON-formatted endpoint [ref_id=1].
Preconditions
- configThe JoomProject component (version 1.1.3.2) must be installed and enabled on the Joomla! site.
- networkThe attacker must be able to send HTTP requests to the Joomla! web server.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46121mitreexploit
- www.vulncheck.com/advisories/joomla-component-joomproject-information-disclosuremitrethird-party-advisory
- joomboost.commitreproduct
- extensions.joomla.org/extensions/extension/clients-a-communities/project-a-task-management/joomproject/mitreproduct
News mentions
0No linked articles in our index yet.