CVE-2023-54357
Awaiting Analysis Awaiting Analysis - Queue

Information Disclosure in Joomla com_booking Component

Vulnerability report for CVE-2023-54357, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-23
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
joomla com_booking to 2.4.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2023-54357 is an information disclosure vulnerability in the Joomla com_booking component version 2.4.9. It allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller.

Attackers can send specially crafted GET requests to the index.php endpoint with parameters option=com_booking, controller=customer, task=getUserData, and an id parameter. By brute forcing the id parameter, they can retrieve sensitive user information such as names, usernames, and email addresses without needing to authenticate.

Impact Analysis

This vulnerability can have significant impacts as it allows attackers to gather valid user account information including names, usernames, and email addresses without authentication.

  • Attackers can use the enumerated data for targeted phishing campaigns.
  • The information can facilitate brute-force password attacks against user accounts.
  • Exposure of user data can lead to privacy violations and loss of user trust.
Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the Joomla instance targeting the vulnerable com_booking component. Specifically, you can test the endpoint index.php with parameters option=com_booking, controller=customer, task=getUserData, and varying id values to check if user information such as names, usernames, and email addresses are returned without authentication.

A simple detection method is to use curl or similar HTTP clients to send requests incrementing the id parameter and observe if user data is disclosed.

  • curl "http://<target>/index.php?option=com_booking&controller=customer&task=getUserData&id=1"
  • curl "http://<target>/index.php?option=com_booking&controller=customer&task=getUserData&id=2"

By automating these requests with a script that increments the id parameter, you can enumerate user accounts if the vulnerability is present.

Mitigation Strategies

To mitigate this vulnerability immediately, you should restrict access to the vulnerable getUserData function in the com_booking component to authenticated and authorized users only.

If possible, update the com_booking component to a version that patches this vulnerability or apply any available security patches from the vendor.

As a temporary measure, you can implement web application firewall (WAF) rules to block or rate-limit requests to the endpoint index.php with parameters option=com_booking, controller=customer, task=getUserData, and id.

Additionally, monitor logs for suspicious GET requests targeting this endpoint to detect potential exploitation attempts.

Compliance Impact

The vulnerability in Joomla com_booking component 2.4.9 allows unauthenticated attackers to enumerate user accounts and retrieve sensitive personal information such as names, usernames, and email addresses. This exposure of personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personally identifiable information (PII) and mandate strict controls on unauthorized data access.

By enabling attackers to collect user data without authentication, the vulnerability increases the risk of privacy breaches, potentially resulting in violations of regulatory requirements for data confidentiality, user consent, and breach notification.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart