SQL injection vulnerability in jooget.php in the Joomlapixel Jooget! (com_jooget) 2.6.8 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail task.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/27836 | vdb entry exploit |
| https://www.exploit-db.com/exploits/5132 | exploit |
| http://secunia.com/advisories/28998 | patch vendor advisory third party advisory |
| http://forum.joomlaitalia.com/index.php?topic=388.0 | |
| http://members.joomlapixel.eu/download/componenti/patch-jooget-2.6.8-sql-injection/details.html |