Joomla Forms Builder SQLi leaks data (CVE-2021-47930)
CVE-2021-47930
CVE-2021-47930: Balbooa Joomla Forms Builder 2.0.6 has an unauthenticated SQL injection (CVSS 8.8) that lets attackers extract database contents. Update to 2.0.7 or later.
Vendor-confirmed - CVE-2021-47930 is a high-severity SQL injection in Balbooa Joomla Forms Builder 2.0.6 that lets unauthenticated attackers extract arbitrary database content. Patched in version 2.0.7 - update immediately.
Overview
CVE-2021-47930 is an unauthenticated SQL injection vulnerability residing in the form submission handler of the Balbooa Joomla Forms Builder component (com_baforms), affecting version 2.0.6. An attacker can send a crafted POST request containing a malicious JSON payload in the id field parameter. Because user-supplied input is not sanitized before being incorporated into SQL queries, the attacker can inject arbitrary SQL commands.
The flaw carries a CVSS score of 8.8 (High) with a network attack vector, low attack complexity, no privileges required, and no user interaction needed. This makes the vulnerability highly accessible and relatively easy to exploit once identified.
The primary risk to organizations is the complete compromise of database confidentiality. An attacker can chain SQL queries to extract credentials, session tokens, user data, and other sensitive information stored in the Joomla database. In many configurations, this could lead to administrative account takeover and further server compromise.
Affected Versions
- Balbooa Joomla Forms Builder version 2.0.6
Remediation
The Balbooa team has addressed this vulnerability in version 2.0.7 of the component. The fix involves proper input validation and parameterized queries to prevent SQL injection.
Action: Update the Balbooa Joomla Forms Builder component to version 2.0.7 or later immediately. Administrators should also consider rotating all database credentials and reviewing database logs for signs of prior exploitation.
Additional Mitigations
- Implement a web application firewall (WAF) with rules to block common SQL injection patterns in POST requests.
- Restrict network access to the Joomla administration interface.
- Monitor database query logs for anomalous or lengthy queries originating from the web application.
Security Insight
This vulnerability is a classic example of a persistent class of flaws - unauthenticated SQL injection in form-processing plugins - that continues to plague content management systems. While the specific instance was patched, it highlights the broader risk that third-party extensions introduce into Joomla environments. Organizations relying on community-driven extensions should maintain an up-to-date inventory and prioritize scanning for injection flaws in any component that accepts user-supplied data. For more on recent vulnerabilities, see our security news and breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers ca...
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0....
SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page (forgot-password.php). This allows ...
CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requ...