What the vulnerability does
01Description
A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.
Explanation of Vulnerability in Simple Terms
02Summary
The No Boss Calendar component for Joomla contains a SQL injection vulnerability in versions 1.0.0 through 5.0.6. An attacker with high-level administrative privileges can inject malicious SQL code through unfiltered input, potentially reading or modifying the site database. This requires authenticated access to administrative functions.
What an attacker can do
03Attacker Capabilities
Read or modify the Joomla database by injecting SQL commands through the component.
Potential impact on your site
04Site Impact
A compromised admin account could allow an attacker to steal site data, modify content, or create backdoor accounts.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative access to the Joomla site.
Key dates
06Disclosure timeline
June 13, 2025
CVE published
June 13, 2025
Record updated