CVE-2019-25749

Received Received - Intake

SQL Injection in Joomla J-CruisePortal

Publication date: 2026-06-19

Last updated on: 2026-06-20

Assigner: VulnCheck

Description

Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-20

Generated

2026-06-21

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2019-25749

EUVD

EUVD-2019-20185

Affected Vendors & Products

Vendor	Product	Version / Range
cmsjunkie	j-cruiseportal	6.0.4
joomla	j-cruiseportal	to 6.0.7 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

Joomla J-CruisePortal version 6.0.4 contains a high-severity SQL injection vulnerability. This flaw allows authenticated attackers to inject malicious SQL code through the 'guest_adult' parameter in POST requests sent to the 'cruises' endpoint.

By exploiting this vulnerability, attackers can execute arbitrary SQL queries on the backend database, which may lead to unauthorized access to sensitive information or manipulation of database records.

Impact Analysis

This vulnerability can have significant impacts including unauthorized extraction of sensitive database information and unauthorized modification of database records.

Attackers can gain access to confidential data stored in the database.
Attackers can manipulate or corrupt data, potentially disrupting business operations.
The integrity and confidentiality of the database can be compromised.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests sent to the 'cruises' endpoint that include the 'guest_adult' parameter with potentially malicious SQL payloads.

A practical detection method is to capture and analyze HTTP POST traffic targeting the '/cruises' endpoint, looking specifically for unusual or crafted SQL code in the 'guest_adult' parameter.

For example, using command-line tools like curl or wget, you can simulate or detect such requests. To test or detect, you might run commands similar to:

curl -X POST -d "guest_adult=' OR '1'='1" http://[target]/cruises
tcpdump or Wireshark filters to capture POST requests to the '/cruises' endpoint and inspect the 'guest_adult' parameter for SQL injection patterns.

Mitigation Strategies

Immediate mitigation steps include restricting authenticated user input to the 'guest_adult' parameter by implementing proper input validation and sanitization to prevent SQL injection.

Additionally, applying any available patches or updates from the vendor that address this vulnerability is critical.

If patching is not immediately possible, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting the 'guest_adult' parameter in POST requests to the 'cruises' endpoint.

Limiting the privileges of authenticated users to the minimum necessary can also reduce the risk of exploitation.

Compliance Impact

The SQL injection vulnerability in Joomla J-CruisePortal 6.0.4 allows attackers to extract sensitive database information or manipulate records. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require the protection of personal and sensitive information from unauthorized access or breaches.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Hi! I’m here to help you understand CVE-2019-25749. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25749

SQL Injection in Joomla J-CruisePortal

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart