SQL injection in the mod_vvisit_counter module
Posted date 03/10/2025
Identificador
INCIBE-2025-0540
Importance
5 - Critical
Affected Resources
mod_vvisit_counter, version 2.0.4j3.
Description
INCIBE has coordinated the publication of a critical vulnerability affecting mod_vvisit_counter, a Joomla module for counting visits. The vulnerability was discovered by Andrea Serrano Urea.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-40636: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89.
Solution
The product has reached the end of its useful life (EoL), so there is no solution.
Detail
CVE-2025-40636: SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.
CVE
Explotación
No
References list
Etiquetas