CVE-2017-20254

Received Received - Intake

SQL Injection in Joomla User Bench Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component User Bench 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the userid parameter. Attackers can send GET requests to index.php with the option=com_userbench&view=detail&userid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20254

EUVD

EUVD-2017-18981

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	component_user_bench	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

Joomla! Component User Bench version 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the userid parameter in GET requests.

Attackers can send specially crafted requests to index.php with parameters option=com_userbench, view=detail, and userid containing SQL injection payloads. This improper neutralization of special elements in SQL commands enables attackers to extract sensitive database information, including credentials and configuration data.

Impact Analysis

This vulnerability can have a significant impact as it allows unauthenticated attackers to access sensitive information stored in the database.

Extraction of sensitive database information such as user credentials.
Exposure of configuration data that could be used to further compromise the system.
Potential unauthorized access to the system due to leaked credentials.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the Joomla! site for suspicious or malformed requests targeting the vulnerable component. Specifically, look for requests to index.php with parameters option=com_userbench, view=detail, and userid containing SQL injection payloads.

A simple detection method is to use network or web server logs to search for requests matching the pattern: index.php?option=com_userbench&view=detail&userid= followed by suspicious SQL code.

Example commands to detect potential exploitation attempts include:

Using grep on web server logs to find suspicious userid parameters: grep "option=com_userbench&view=detail&userid=" /var/log/apache2/access.log
Using curl to test for SQL injection by sending a crafted request: curl "http://target-site/index.php?option=com_userbench&view=detail&userid=1' OR '1'='1"
Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on SQL injection patterns in the userid parameter.

Mitigation Strategies

Immediate mitigation steps include:

Apply any available patches or updates to the Joomla! Component User Bench to fix the SQL injection vulnerability.
If patches are not available, restrict access to the vulnerable component by limiting HTTP requests to index.php with option=com_userbench&view=detail parameters.
Implement web application firewall (WAF) rules to block or sanitize requests containing suspicious SQL injection payloads in the userid parameter.
Monitor logs for exploitation attempts and respond accordingly.
Consider disabling or removing the vulnerable component if it is not essential.

Compliance Impact

The SQL injection vulnerability in Joomla! Component User Bench 1.0 allows unauthenticated attackers to extract sensitive database information, including credentials and configuration data.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data exposure and lack of adequate security controls.

Hi! I’m here to help you understand CVE-2017-20254. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20254

SQL Injection in Joomla User Bench Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart