CVE-2015-7338 - SQL Injection in AcyMailing Joomla Component

1 minute read

1. Vulnerability Properties

  • Title: SQL Injection in AcyMailing Joomla Component
  • CVE ID: CVE-2015-7338
  • CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
  • Vendor: Acyba
  • Products: AcyMailing
  • Advisory Release Date: 28 October 2015
  • Advisory URL:
  • Credits: Discovery by Fábio Pires <fp[at]>, Filipe Reis <fr[at]>, Vitor Oliveira <vo[at]>

2. Vulnerability Summary

AcyMailing component is vulnerable to SQL Injection on export controller, inside the backoffice.

3. Technical Details

To replicate the issue go to:

Joomla > Components > AcyMailing > Users > Export (and make the export)


Then grab the request from the export and modify it by adding the two missing parameters:

  • exportdatageoloc[geolocation_longitude]=test&exportgeolocorder=’

Note: The array position from explortdatageoloc must be an existing column from acymailing_geolocation table.


With this we get the following response (as you can see on the response we broke the SQL query):


Now we inject with our SQL query into the parameter exportgeolocorder.


And we get the response with the proof.


4. Vulnerable Versions

  • AcyMailing (4.9.4).

5. Solution

  • Upgrade to AcyMailing 4.9.5 or latest.

6. Vulnerability Timeline

  • September 01, 2015 — Bug reported to Acyba
  • September 02, 2015 — Acyba team acknowledges the vulnerability
  • October 14, 2015 — Acyba team releases a new version
  • October 28, 2015 — Public disclosure

7. References