CVE-2017-20271

Received Received - Intake

SQL Injection in Joomla StreetGuessr Game

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20271

EUVD

EUVD-2017-18998

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	streetguessr_game	1.1.8
joomla	streetguessr_game	to 1.1.8 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

Joomla StreetGuessr Game version 1.1.8 contains a SQL injection vulnerability that allows unauthenticated attackers to inject malicious SQL code through the 'catid' parameter in a GET request to index.php with the parameters option=com_streetguess&view=maps.

This injection enables attackers to execute arbitrary SQL queries on the backend database, potentially extracting sensitive information such as database version and database names.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive database information by allowing attackers to execute arbitrary SQL commands without authentication.

Attackers can extract critical data such as database names and versions, which could be used to further exploit the system or compromise data confidentiality.

Given the high CVSS scores (8.8 in v4.0 and 8.2 in v3.1), this represents a significant security risk that could impact the integrity and confidentiality of your data.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the vulnerable Joomla StreetGuessr Game component and observing the responses for SQL injection behavior.

Specifically, you can test the 'catid' parameter in a URL like: /index.php?option=com_streetguess&view=maps&catid=[SQL payload]

For example, using curl to send a request with an SQL injection payload to extract database version or name:

curl "http://<target>/index.php?option=com_streetguess&view=maps&catid=1' UNION SELECT @@version, NULL--"
curl "http://<target>/index.php?option=com_streetguess&view=maps&catid=1' UNION SELECT database(), NULL--"

If the response contains database version or name information, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

Apply any available patches or updates from the Joomla StreetGuessr Game component vendor to fix the SQL injection vulnerability.
If patches are not available, restrict access to the vulnerable component by limiting HTTP access to trusted users or IP addresses.
Use a Web Application Firewall (WAF) to detect and block malicious requests targeting the 'catid' parameter.
Review and sanitize all user inputs in the application code to prevent SQL injection.

These steps help reduce the risk of exploitation until a permanent fix is applied.

Compliance Impact

The SQL injection vulnerability in Joomla StreetGuessr Game 1.1.8 allows unauthenticated attackers to extract sensitive database information. This unauthorized access to sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

By enabling attackers to execute arbitrary SQL queries and potentially access confidential data, the vulnerability increases the risk of data exposure, which can result in violations of regulatory requirements for data confidentiality, integrity, and security.

Hi! I’m here to help you understand CVE-2017-20271. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20271

SQL Injection in Joomla StreetGuessr Game

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart