CVE-2017-20255

Received Received - Intake

SQL Injection in Joomla JB Visa Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component JB Visa 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the visatype parameter. Attackers can send GET requests to index.php with the option=com_bookpro and view=popup parameters, injecting SQL commands in the visatype parameter to extract sensitive database information including credentials and table contents.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20255

EUVD

EUVD-2017-18982

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	component_jb_visa	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in Joomla! Component JB Visa 1.0 allows attackers to extract sensitive database information, including credentials and table contents, without authentication.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing protected data and failing to maintain adequate security controls.

Executive Summary

CVE-2017-20255 is an SQL injection vulnerability found in Joomla! Component JB Visa version 1.0. It allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'visatype' parameter in a GET request.

Attackers exploit this by sending crafted requests to index.php with parameters option=com_bookpro and view=popup, manipulating the 'visatype' parameter to inject SQL commands.

This can lead to extraction of sensitive database information such as credentials and table contents.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to sensitive database information, including credentials and data stored in tables.

Attackers can manipulate or extract data from the database, potentially compromising the integrity and confidentiality of the system.

Since the vulnerability is exploitable without authentication, it poses a significant security risk to affected Joomla! sites using the JB Visa component.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests targeting the Joomla! Component JB Visa, specifically requests to index.php with parameters option=com_bookpro and view=popup, where the visatype parameter contains unexpected or malicious SQL code.

A practical detection method is to look for HTTP GET requests matching the pattern: index.php?option=com_bookpro&view=popup&visatype=[SQL injection payload].

For example, you can use network monitoring tools or web server logs to search for requests containing 'option=com_bookpro&view=popup&visatype=' with suspicious SQL keywords such as 'UNION', 'SELECT', or 'INFORMATION_SCHEMA'.

Using grep on web server logs to find suspicious requests: grep -i 'option=com_bookpro&view=popup&visatype=' /var/log/apache2/access.log
Using curl to test the vulnerability by sending a crafted request: curl 'http://[target]/index.php?option=com_bookpro&view=popup&visatype=1%20UNION%20SELECT%20database()'

Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable JB Visa component from your Joomla! installation to prevent exploitation.

If removal is not immediately possible, restrict access to the affected component by applying web application firewall (WAF) rules or blocking requests containing suspicious parameters targeting the visatype parameter.

Additionally, monitor your system for any signs of exploitation and review your database for unauthorized access or data leakage.

Check for any available patches or updates from the vendor or Joomla! community and apply them as soon as possible.

Hi! I’m here to help you understand CVE-2017-20255. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20255

SQL Injection in Joomla JB Visa Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart