CVE-2017-20266

Received Received - Intake

SQL Injection in Joomla SP Movie Database

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword parameter. Attackers can send GET requests to the searchresults view with crafted SQL payloads in the searchword parameter to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20266

EUVD

EUVD-2017-18993

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	sp_movie_database	1.3
joomshaper	sp_movie_database	to 1.3 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in Joomla SP Movie Database 1.3 allows unauthenticated attackers to extract sensitive database information by injecting malicious SQL queries through the searchword parameter.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data without proper authorization.

Executive Summary

The vulnerability is an SQL injection flaw in Joomla SP Movie Database version 1.3. It allows unauthenticated attackers to inject malicious SQL code through the 'searchword' parameter in the searchresults view by sending specially crafted GET requests.

This injection enables attackers to execute arbitrary SQL queries on the database, potentially manipulating or extracting sensitive information.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information by attackers without needing authentication.

Attackers can exploit this flaw to extract confidential data, manipulate database contents, or potentially disrupt the normal operation of the web application.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the vulnerable Joomla SP Movie Database component, specifically targeting the 'searchword' parameter in the URL path /index.php?option=com_spmoviedb&view=searchresults.

You can look for suspicious or unusual SQL payloads injected into the 'searchword' parameter in web server logs or by using network monitoring tools.

Use tools like curl or wget to test the endpoint with crafted SQL injection payloads, for example:
curl "http://[target]/index.php?option=com_spmoviedb&view=searchresults&searchword=' OR '1'='1&type=movies&Itemid=523"
Check web server logs for GET requests containing suspicious SQL keywords or characters in the 'searchword' parameter.
Use web vulnerability scanners that support SQL injection detection against the searchresults view of the SP Movie Database component.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable component and sanitizing inputs to prevent SQL injection.

Apply any available patches or updates from the vendor or Joomla extensions directory to upgrade SP Movie Database beyond version 1.3.
If patches are not available, consider disabling or removing the SP Movie Database component to prevent exploitation.
Implement web application firewall (WAF) rules to block malicious SQL injection attempts targeting the 'searchword' parameter.
Monitor logs for suspicious activity and block offending IP addresses if necessary.

Hi! I’m here to help you understand CVE-2017-20266. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20266

SQL Injection in Joomla SP Movie Database

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart