-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description and the provided commit patches clearly point to the quoteNameStr method in src/DatabaseDriver.php as the source of the SQL injection vulnerability. The patches for both version branches (2.x and 3.x) show the same change: the internal logic of quoteNameStr for quoting string parts is removed and replaced with a call to quoteNameString. This strongly suggests that the original implementation of quoteNameStr was vulnerable. The advisory mentions that this is a protected method and might not be directly exploitable in the original package but could be in extending classes. The function signature includes the namespace Joomla\Database\DatabaseDriver as it would appear in a profiler for PHP applications.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| joomla/database | composer | >= 3.0.0, < 3.4.0 | 3.4.0 |
| joomla/database | composer | >= 1.0.0, < 2.2.0 | 2.2.0 |
Ongoing coverage of React2Shell