CVE-2015-2798
published 2017-07-25CVE-2015-2798: SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.26%
86.8th percentile
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| web-dorado | contact_form_maker | — | — |
| web-dorado | form_maker | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection via the `id` parameter in the com_contactformmaker Joomla component; monitor HTTP requests containing `option=com_contactformmaker` with a manipulated `id` parameter value for SQL metacharacters or payloads. ↗
- →Target component identifier is `com_contactformmaker`; alert on any request to this Joomla component, especially with unexpected or non-integer `id` values. ↗
- ·Proof-of-concept uses localhost (127.0.0.1); in real-world exploitation the host will differ, but the query string pattern `option=com_contactformmaker&view=contactformmaker&id=` remains the same attack vector. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8pfg-p9g9-fjx4: SQL injection vulnerability in Joomla! Component Contact Form Maker 1
ghsa_unreviewed·2022-05-17
CVE-2015-2798 [CRITICAL] CWE-89 GHSA-8pfg-p9g9-fjx4: SQL injection vulnerability in Joomla! Component Contact Form Maker 1
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
GHSA
GHSA-h38h-j6rc-rjrh: SQL Injection exists in the Form Maker 3
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2018-5991 [CRITICAL] CWE-89 GHSA-h38h-j6rc-rjrh: SQL Injection exists in the Form Maker 3
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
No detection rules found.
No writeups or analysis indexed.
2017-07-25
Published