[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package
Description
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Joomla Framework Database package's quoteNameStr method, exploitable only in custom subclasses, fixed in versions 2.2.0 and 3.4.0.
The Joomla Framework Database package contains a SQL injection vulnerability in the quoteNameStr method due to improper handling of identifiers [1]. This protected method does not properly sanitize input, allowing an attacker to inject arbitrary SQL when the method is called with untrusted data.
The vulnerability is not exploitable in the default Joomla Framework installation because the quoteNameStr method is protected and not used within the original package's own code [1][3]. However, any class that extends the affected database class and calls this method with user-controlled input could be vulnerable. The attack requires the attacker to supply crafted identifiers that bypass the intended escaping.
Successful exploitation could allow an attacker to execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion, depending on the database permissions. The Joomla Security Centre rates the impact as High but the severity as Low due to the low probability of exploitation in typical deployments [3].
The vulnerability affects versions 1.0.0 through 2.1.1 and 3.0.0 through 3.3.1 of the Database package. It was fixed in versions 2.2.0 and 3.4.0, released on April 2, 2025 [3]. Users are advised to upgrade to the patched versions. No workaround is provided for custom subclasses other than updating.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/databasePackagist | >= 3.0.0, < 3.4.0 | 3.4.0 |
joomla/databasePackagist | >= 1.0.0, < 2.2.0 | 2.2.0 |
Affected products
3- osv-coords2 versions
>= 1.0.0, < 5.0.3+ 1 more
- (no CPE)range: >= 1.0.0, < 5.0.3
- (no CPE)range: >= 3.0.0, < 3.4.0
- Joomla! Project/Joomla! Frameworkv5Range: 1.0.0-2.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.