CVE-2025-49468 HIGH

CVE-2025-49468: Joomla Extension - nobossextensions.com - SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla

Vendor Nobossextensions.com
Product No Boss Calendar component for Joomla
Weakness CWE-89 · SQLi
Published June 13, 2025
Last update June 13, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.

Explanation of Vulnerability in Simple Terms

02Summary

The No Boss Calendar component for Joomla contains a SQL injection vulnerability in versions 1.0.0 through 5.0.6. An attacker with high-level administrative privileges can inject malicious SQL code through unfiltered input, potentially reading or modifying the site database. This requires authenticated access to administrative functions.

What an attacker can do

03Attacker Capabilities

Read or modify the Joomla database by injecting SQL commands through the component.

Potential impact on your site

04Site Impact

A compromised admin account could allow an attacker to steal site data, modify content, or create backdoor accounts.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative access to the Joomla site.

Key dates

06Disclosure timeline

June 13, 2025 CVE published
June 13, 2025 Record updated

Related vulnerabilities

08Related CVE