CVE-2025-2126 MEDIUM

CVE-2025-2126: JoomlaUX JUX Real Estate GET Parameter realties sql injection

Vendor Joomlaux
Product JUX Real Estate
Weakness CWE-89 · SQLi
Published March 9, 2025
Last update March 10, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla and classified as critical. This issue affects some unknown processing of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties of the component GET Parameter Handler. The manipulation of the argument title leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Explanation of Vulnerability in Simple Terms

02Summary

JUX Real Estate versions 3.4.0 and later contain a SQL injection vulnerability in the Joomla extension. An attacker with low-level site access can inject malicious SQL commands through unfiltered input, potentially reading or modifying database contents. The vulnerability requires authentication but no user interaction.

What an attacker can do

03Attacker Capabilities

Read or modify database records by injecting SQL commands through the extension.

Potential impact on your site

04Site Impact

Unauthorized database access could expose user data, settings, or allow modification of site content and configuration.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the Joomla site (e.g., registered user or contributor).

Key dates

06Disclosure timeline

March 9, 2025 CVE published
March 10, 2025 Record updated