GHSA-44v2-prcf-pc3m

Source

https://github.com/advisories/GHSA-44v2-prcf-pc3m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-44v2-prcf-pc3m/GHSA-44v2-prcf-pc3m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-44v2-prcf-pc3m

Aliases

CVE-2025-25226

Published

2025-04-08T18:34:43Z

Modified

2025-04-09T13:42:11.893610Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

Joomla Framework Database Package Vulnerable to SQL Injection

Details

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Database specific

{
    "nvd_published_at": "2025-04-08T17:15:35Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-09T13:08:26Z"
}

References

Affected packages

Packagist / joomla/database

Package

Name: joomla/database
Purl: pkg:composer/joomla/database

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.0

Affected versions

3.*

3.0.0

3.1.0

3.2.0

3.2.1

3.3.0

3.3.1

Packagist / joomla/database

Package

Name: joomla/database
Purl: pkg:composer/joomla/database

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

2.2.0

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

2.*

2.0.0-beta

2.0.0-beta2

2.0.0-beta3

2.0.0-beta4

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1