CVE-2025-49467 PUBLISHED

Joomla Extension - jevents.net - SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla

Assigner: Joomla
Reserved: 05.06.2025 Published: 12.06.2025 Updated: 12.06.2025

A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/U:Amber
CVSS Score: 9.3

Product Status

Vendor jevents.net / GWE Systems Ltd
Product JEvents component for Joomla
Versions Default: unaffected
  • Version 1.0.0-3.6.82 is affected
  • Version 3.6.82.1 is unaffected
  • Version 3.6.83-3.6.87 is affected

Credits

  • José Apari Pantigozo finder

References

Problem Types

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE