Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration
Description
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The `getUserData()` function in `admin/controllers/customer.php` returns user profile fields without any authentication or authorization check."
Attack vector
An unauthenticated attacker sends a GET request to `index.php` with parameters `option=com_booking`, `controller=customer`, `task=getUserData`, and an integer `id` value. The `getUserData()` function in `admin/controllers/customer.php` calls `JFactory::getUser(JRequest::getInt('id'))` and returns the user's name, username, and email as JSON without any access control [ref_id=1]. By iterating the `id` parameter (e.g., 1, 2, 3, …), the attacker can brute-force enumerate every registered user account on the Joomla site.
What the fix does
The advisory does not include a patch. To close the vulnerability, the `getUserData()` function must enforce authentication and authorization checks before returning user profile data. Without a patch, the function remains accessible to any unauthenticated visitor who can supply an arbitrary user ID.
Preconditions
- configThe Joomla site must have the com_booking component version 2.4.9 installed and enabled.
- authNo authentication or session is required; the endpoint is publicly accessible.
- networkThe attacker must be able to send HTTP GET requests to the Joomla instance.
- inputThe attacker supplies an integer id parameter to enumerate user accounts.
Reproduction
Run the provided Python exploit script against a target running Joomla with com_booking 2.4.9: ``` python exploit.py -u http://target/joomla ``` The script iterates `id` values starting at 1 and prints the JSON response containing `name`, `username`, and `email` for each valid user [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/51595mitreexploit
- www.vulncheck.com/advisories/joomla-com-booking-information-disclosure-via-account-enumerationmitrethird-party-advisory
- www.artio.netmitreproduct
- www.artio.net/downloads/joomla/book-it/book-it-2-free/downloadmitreproduct
News mentions
0No linked articles in our index yet.