What the vulnerability does
01Description
A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.
Explanation of Vulnerability in Simple Terms
02Summary
JEvents component for Joomla contains a SQL injection vulnerability in versions 3.6.82 and earlier. An attacker can craft malicious input to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user credentials and site configuration.
What an attacker can do
03Attacker Capabilities
Execute arbitrary SQL queries to read, modify, or delete database records without logging in.
Potential impact on your site
04Site Impact
Attackers can steal user passwords, modify event data, or take the site offline by corrupting the database.
Conditions required to exploit
05Prerequisites
Network access to the Joomla site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 12, 2025
CVE published
June 12, 2025
Record updated