CVE-2025-25226

Published Apr 8, 2025

Last updated 9 months ago

CVSS critical 9.8

Overview

Description: Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Source: security@joomla.org
NVD status: Analyzed
Products: joomla\!

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@joomla.org: CWE-89
nvd@nist.gov: CWE-89

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "C69B50FF-AD2E-4F47-BBB9-D6FAA51D0872",
            "versionEndExcluding": "2.2.0",
            "versionStartIncluding": "1.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "D89B0522-E39C-4031-994C-27E6C6AB69AA",
            "versionEndExcluding": "3.4.0",
            "versionStartIncluding": "3.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References