CVE-2021-47930

Vulnerability

Overview

CVE-2021-47930 is an unauthenticated SQL injection vulnerability in the Balbooa Joomla Forms Builder version 2.0.6. The root cause is improper neutralization of special elements used in an SQL command (CWE-89) within the form submission handler. Specifically, the 'id' field parameter in a JSON payload sent to the com_baforms component is not sanitized before being used in database queries [1][3].

Exploitation

Details

An attacker can exploit this vulnerability by sending a crafted POST request to /index.php?option=com_baforms with a multipart form-data body containing a JSON object where the 'id' field contains malicious SQL. No authentication is required, and the attack can be performed remotely over the network. The exploit does not require any special privileges or user interaction [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database. This can lead to the extraction of sensitive information such as user credentials, session tokens, and other configuration data. The CVSS v3 base score of 8.2 (High) reflects the high confidentiality impact and the low complexity of the attack [3].

Mitigation

As of the publication date, the vulnerability affects Balbooa Joomla Forms Builder version 2.0.6. Users should upgrade to a patched version if available. No official workaround has been documented, but disabling the component or restricting access to the form submission endpoint may reduce risk [1][3].