CVE-2017-20260

Received Received - Intake

SQL Injection in Joomla Price Alert Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component Price Alert 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can send requests to the subscribeajax view with crafted SQL payloads in the product_id parameter to extract sensitive database information including credentials and configuration data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20260

EUVD

EUVD-2017-18987

Affected Vendors & Products

Vendor	Product	Version / Range
weborange	price_alert	3.0.2

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in Joomla! Component Price Alert 3.0.2 allows unauthenticated attackers to extract sensitive database information, including credentials and configuration data.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to potential data breaches and exposure of confidential information.

Executive Summary

CVE-2017-20260 is a high-severity SQL injection vulnerability found in Joomla! Component Price Alert version 3.0.2. It allows unauthenticated attackers to inject malicious SQL code through the product_id parameter in requests to the subscribeajax view.

By exploiting this flaw, attackers can execute arbitrary SQL queries on the backend database, potentially manipulating database operations.

This injection can be performed by sending specially crafted URLs containing malicious SQL payloads in the product_id parameter.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information such as credentials and configuration data.

Attackers may manipulate, extract, or delete data from the database, leading to data breaches or disruption of service.

Since the vulnerability can be exploited without authentication, it poses a significant risk to affected systems.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Joomla! Price Alert component, specifically targeting the 'subscribeajax' view with the 'product_id' parameter.

You can look for suspicious or crafted SQL payloads in URLs similar to: http://[your-site]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=[SQL_PAYLOAD]

A simple detection command using curl to test for SQL injection might be:

curl -i "http://[your-site]/index.php?option=com_price_alert&view=subscribeajax&task=pricealert_ajax&product_id=1' OR '1'='1"

If the response differs significantly or returns database errors, it may indicate the presence of the vulnerability.

Additionally, network intrusion detection systems (NIDS) can be configured to alert on SQL injection patterns targeting the 'product_id' parameter in requests to this component.

Mitigation Strategies

Immediate mitigation steps include:

Disable or remove the vulnerable Joomla! Price Alert component version 3.0.2 from your system.
Avoid using the Price Alert extension until a patched or secure version is available.
Restrict access to the vulnerable URL endpoints, such as the 'subscribeajax' view, via web application firewall (WAF) rules or server configuration.
Monitor logs for suspicious requests targeting the 'product_id' parameter and block offending IP addresses.

Since the extension was removed from the Joomla Extensions Directory due to this vulnerability, users are advised to avoid installing or using it.

Hi! I’m here to help you understand CVE-2017-20260. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20260

SQL Injection in Joomla Price Alert Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart