SB2015081805 - SQL injection in J2Store plugin for Joomla!

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2015-6513)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the (1) sortby or (2) manufacturer_ids[] parameter to index.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• http://j2store.org/download-j2store/j2store-v3-3-1-7.html
• http://packetstormsecurity.com/files/132658/Joomla-J2Store-3.1.6-SQL-Injection.html
• http://volatileminds.net/2015/07/07/j2store-316-sql-injection.html