CVE-2023-54357
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Artio | Joomla! com_booking component | 2.4.9 | affected |
Weaknesses
- CWE-203: Observable Discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/51595
- http://www.artio.net/
- http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download
- https://www.vulncheck.com/advisories/joomla-com-booking-information-disclosure-via-account-enumeration
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.