JoomlaUX JUX Real Estate SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in JoomlaUX JUX Real Estate version 3.4.0. The issue arises in the component's GET parameter handler, specifically within the file '/extensions/realestate/index.php/properties/list/list-with-sidebar/realties'. The vulnerability allows remote attackers to manipulate the 'title' parameter, leading to unauthorized database access. This exploitation could result in data modification or application disruption.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to access, modify, or delete database information. The vulnerability could also be used to execute administrative operations on the database, potentially leading to further application compromise.

Reproduction

To reproduce this vulnerability, send a GET request to '/extensions/realestate/index.php/properties/list/list-with-sidebar/realties' with the 'title' parameter crafted to exploit the SQL injection. The payload should be designed to manipulate the SQL query processing, such as using time-based blind SQL injection techniques to extract database information.