CVE-2017-20267 Joomlathat CVE debrief

Who should care

Defenders managing Joomla! installations with the Calendar Planner component version 1.0.1 should prioritize assessment and mitigation. Due to the high CVSS score of 8.8, immediate attention is warranted to prevent potential exploitation.

Technical summary

The CVE-2017-20267 vulnerability is an SQL injection issue within the Joomla! Component Calendar Planner version 1.0.1. This component is susceptible to unauthenticated SQL injection attacks through the category_id parameter in GET requests to the events view. Successful exploitation could allow attackers to extract sensitive database information. The vulnerability's CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a high severity score of 8.8.

Defensive priority

High priority due to CVSS score of 8.8 and potential for sensitive information disclosure.

Recommended defensive actions

• Inventory Joomla! installations for Calendar Planner component version 1.0.1
• Review official advisories for specific mitigation guidance
• Limit exposure by restricting access to the events view
• Monitor for suspicious GET requests to the events view
• Apply vendor-supported remediation when available

Evidence notes

Primary evidence includes the CVE-2017-20267 record and NVD details. Evidence limits suggest a need for defenders to verify specific vulnerable configurations and versions. The Calendar Planner component version 1.0.1 is confirmed affected. Defenders should verify Joomla! and Calendar Planner versions, and monitor for suspicious activity.

Official resources