CVE-2017-20273

Received Received - Intake

SQL Injection in Joomla Event Registration Pro Calendar

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20273

EUVD

EUVD-2017-19000

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	event_registration_pro_calendar	4.1.3
joomlashowroom	event_registration_pro_calendar	4.1.3

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2017-20273 is a SQL injection vulnerability in Joomla Event Registration Pro Calendar version 4.1.3. It allows unauthenticated attackers to inject malicious SQL code through the 'id' parameter in GET requests to index.php with specific options. This injection enables attackers to execute arbitrary SQL queries on the backend database.

The vulnerability is exploited by sending specially crafted requests to the URL path /index.php?option=com_registrationpro&view=category&id=[SQL], where the 'id' parameter contains SQL injection payloads. This can be used to extract sensitive information from the database, such as table and column names.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can extract confidential data by executing arbitrary SQL queries without authentication.

Exposure of sensitive data stored in the database.
Potential compromise of database integrity and confidentiality.
Increased risk of further attacks leveraging the extracted information.

Detection Guidance

This SQL injection vulnerability can be detected by sending crafted GET requests to the vulnerable Joomla component and observing the responses for SQL errors or unexpected data.

A typical detection command involves sending a request to the URL path with the 'id' parameter containing SQL injection payloads, for example:

curl "http://[target]/index.php?option=com_registrationpro&view=category&id=1' UNION SELECT 1,table_name FROM information_schema.tables--"

If the response contains database table names or SQL error messages, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable component, applying input validation or sanitization on the 'id' parameter, and updating or patching the Joomla Event Registration Pro Calendar component to a fixed version if available.

Until a patch is applied, consider implementing web application firewall (WAF) rules to block malicious SQL injection payloads targeting the 'id' parameter in requests to index.php with option=com_registrationpro.

Compliance Impact

The SQL injection vulnerability in Joomla Event Registration Pro Calendar 4.1.3 allows unauthenticated attackers to extract sensitive database information. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure.

Because attackers can execute arbitrary SQL queries and potentially access confidential data, organizations using the affected software may face compliance risks related to data confidentiality, integrity, and privacy mandates under these standards.

Hi! I’m here to help you understand CVE-2017-20273. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20273

SQL Injection in Joomla Event Registration Pro Calendar

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart