Primary

Context

HikaShop SQL Injection Vulnerability for Joomla

Vulnerability

A SQL injection vulnerability has been identified in the HikaShop component for Joomla, affecting versions 3.3.0 prior to 5.1.4. This vulnerability allows authenticated administrators to execute arbitrary SQL commands in the category management area of the backend. The issue arises from the 'data[category][category_image]' parameter in multipart requests.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could lead to unauthorized data access or manipulation within the database.

Reproduction

To reproduce this vulnerability, navigate to 'HikaShop >> Categories >> 1 >> Computing >> Edit' in the Joomla backend. Save the edit request to a file named 'req.txt'. This request can then be used with sqlmap, a popular SQL injection exploitation tool, to demonstrate the vulnerability. Sqlmap can be instructed to read the saved request file and target the vulnerable parameter, showcasing how the SQL injection can be exploited.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

4.2

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

4.2

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HikaShop SQL Injection Vulnerability for Joomla

Vulnerability

Impact

Reproduction

Affected Products

HikaShop

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating