CVE-2017-20281

Received Received - Intake

SQL Injection in Joomla Extra Search Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component Extra Search 2.2.8 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the establename parameter. Attackers can send GET requests to index.php with the option=com_extrasearch parameter and malicious SQL in the establename field to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20281

EUVD

EUVD-2017-19008

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	component_extra_search	2.2.8
joomla	component_extra_search	to 2.2.8 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2017-20281 is a SQL injection vulnerability found in Joomla! Component Extra Search version 2.2.8. It allows unauthenticated attackers to inject malicious SQL code through the 'establename' parameter in GET requests to index.php with the 'option=com_extrasearch' parameter.

By exploiting this flaw, attackers can manipulate database queries, potentially extracting sensitive information from the database without any authentication.

Compliance Impact

The SQL injection vulnerability in Joomla! Component Extra Search 2.2.8 allows unauthenticated attackers to extract sensitive database information by injecting malicious SQL code. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure or access.

Because attackers can manipulate database queries and potentially access confidential data without authentication, organizations using the vulnerable component may face compliance risks, including breaches of confidentiality, integrity, and availability requirements mandated by these standards.

Impact Analysis

This vulnerability can have a significant impact as it allows attackers to access sensitive database information without authorization.

Unauthorized extraction of sensitive data from the Joomla! database.
Potential manipulation or corruption of database contents.
Compromise of the integrity and confidentiality of the affected Joomla! installation.

Because the vulnerability requires no authentication and has a high CVSS score (8.8), it poses a serious security risk to websites using the vulnerable component.

Detection Guidance

This SQL injection vulnerability can be detected by monitoring HTTP GET requests to Joomla! sites for suspicious usage of the 'establename' parameter in URLs containing 'option=com_extrasearch'. Specifically, requests to URLs like index.php?option=com_extrasearch&view=details&listing_id=1&establename=[SQL] or index.php?option=com_extrasearch&controller=createusers&establename=[SQL] may indicate exploitation attempts.

To detect potential exploitation, you can use web server logs or network monitoring tools to search for these patterns.

Use grep or similar tools on web server logs to find suspicious requests, for example: grep "option=com_extrasearch" access.log | grep "establename="
Use curl or wget to test the endpoint with benign and malicious payloads to verify if the parameter is vulnerable.
Example curl command to test for SQL injection: curl "http://yourjoomlasite/index.php?option=com_extrasearch&view=details&listing_id=1&establename=' OR '1'='1"

Mitigation Strategies

Immediate mitigation steps include:

Apply any available patches or updates from the Joomla! Component Extra Search developer to fix the SQL injection vulnerability.
If patches are not available, consider disabling or removing the vulnerable Extra Search component (version 2.2.8 or earlier) from your Joomla! installation.
Implement web application firewall (WAF) rules to block or filter requests containing suspicious SQL injection patterns targeting the 'establename' parameter.
Monitor logs for exploitation attempts and restrict access to the vulnerable endpoints if possible.

Hi! I’m here to help you understand CVE-2017-20281. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20281

SQL Injection in Joomla Extra Search Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart