Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities by hikashop.com
CVE-2025-25225 (GCVE-0-2025-25225)
Vulnerability from nvd – Published: 2025-03-15 18:06 – Updated: 2025-03-19 04:34
VLAI
Title
Extension - hikashop.com - Privilege escalation vulnerability Hikashop component version 1.0.0 - 5.1.3 for Joomla
Summary
A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | Hikashop component for Joomla |
Affected:
1.0.0-5.1.3
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:17:23.827655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:18:05.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "Hikashop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions."
}
],
"value": "A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T04:34:38.101Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-25225"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - Privilege escalation vulnerability Hikashop component version 1.0.0 - 5.1.3 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-25225",
"datePublished": "2025-03-15T18:06:41.769Z",
"dateReserved": "2025-02-04T14:17:18.261Z",
"dateUpdated": "2025-03-19T04:34:38.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22210 (GCVE-0-2025-22210)
Vulnerability from nvd – Published: 2025-02-25 05:16 – Updated: 2025-04-04 04:35
VLAI
Title
Extension - hikashop.com - SQL injection in Hikashop component version 3.3.0 - 5.1.4 for Joomla
Summary
A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | Hikashop component for Joomla |
Affected:
3.3.0-5.1.4
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T13:44:16.425817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:45:10.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22210"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "Hikashop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "3.3.0-5.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend."
}
],
"value": "A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T04:35:49.991Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22210"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - SQL injection in Hikashop component version 3.3.0 - 5.1.4 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22210",
"datePublished": "2025-02-25T05:16:48.342Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-04-04T04:35:49.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40746 (GCVE-0-2024-40746)
Vulnerability from nvd – Published: 2024-10-21 16:16 – Updated: 2025-03-20 04:35
VLAI
Title
Extension - hikashop.com - Stored cross site scripting vulnerability in Hikashop component for Joomla < 5.1.1
Summary
A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component < 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | HikaShop component for Joomla |
Affected:
1.0.0-5.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T16:45:48.170912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:18:03.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "HikaShop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Catalin Iovita, https://github.com/cataliniovita"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component \u003c 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component \u003c 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T04:35:06.479Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - Stored cross site scripting vulnerability in Hikashop component for Joomla \u003c 5.1.1",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40746",
"datePublished": "2024-10-21T16:16:32.627Z",
"dateReserved": "2024-07-09T16:16:21.865Z",
"dateUpdated": "2025-03-20T04:35:06.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38044 (GCVE-0-2023-38044)
Vulnerability from nvd – Published: 2023-08-07 16:51 – Updated: 2024-10-20 04:33
VLAI
Title
Extension - hikashop.com - SQLi in HikaShop component for Joomla <= 4.7.2
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/support/documentation/56… | vendor-advisory |
| https://extensions.joomla.org/vulnerable-extensio… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | HikaShop component for Joomla |
Affected:
4.0.0-4.7.2
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:13.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.hikashop.com/support/documentation/56-hikashop-changelog.html"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://extensions.joomla.org/vulnerable-extensions/resolved/hikashop-versions-from-4-4-1-to-4-7-2-are-affected-sql-injection/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:19:20.551060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:19:36.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://extensions.joomla.org/extension/hikashop/",
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "HikaShop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishal Saini and Siva Pothuluru S (Team Payatu)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability allows SQL Injection."
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability allows SQL Injection."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T04:33:21.414Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hikashop.com/support/documentation/56-hikashop-changelog.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://extensions.joomla.org/vulnerable-extensions/resolved/hikashop-versions-from-4-4-1-to-4-7-2-are-affected-sql-injection/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - SQLi in HikaShop component for Joomla \u003c= 4.7.2",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-38044",
"datePublished": "2023-08-07T16:51:06.984Z",
"dateReserved": "2023-07-12T04:32:07.094Z",
"dateUpdated": "2024-10-20T04:33:21.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25225 (GCVE-0-2025-25225)
Vulnerability from cvelistv5 – Published: 2025-03-15 18:06 – Updated: 2025-03-19 04:34
VLAI
Title
Extension - hikashop.com - Privilege escalation vulnerability Hikashop component version 1.0.0 - 5.1.3 for Joomla
Summary
A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | Hikashop component for Joomla |
Affected:
1.0.0-5.1.3
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:17:23.827655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:18:05.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "Hikashop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions."
}
],
"value": "A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T04:34:38.101Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-25225"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - Privilege escalation vulnerability Hikashop component version 1.0.0 - 5.1.3 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-25225",
"datePublished": "2025-03-15T18:06:41.769Z",
"dateReserved": "2025-02-04T14:17:18.261Z",
"dateUpdated": "2025-03-19T04:34:38.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22210 (GCVE-0-2025-22210)
Vulnerability from cvelistv5 – Published: 2025-02-25 05:16 – Updated: 2025-04-04 04:35
VLAI
Title
Extension - hikashop.com - SQL injection in Hikashop component version 3.3.0 - 5.1.4 for Joomla
Summary
A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
| https://github.com/AdamWallwork/CVEs/tree/main/20… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | Hikashop component for Joomla |
Affected:
3.3.0-5.1.4
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T13:44:16.425817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:45:10.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22210"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "Hikashop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "3.3.0-5.1.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Wallwork"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend."
}
],
"value": "A SQL injection vulnerability in the Hikashop component versions 3.3.0-5.1.4 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the category management area in backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T04:35:49.991Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-22210"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - SQL injection in Hikashop component version 3.3.0 - 5.1.4 for Joomla",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2025-22210",
"datePublished": "2025-02-25T05:16:48.342Z",
"dateReserved": "2025-01-01T04:33:02.765Z",
"dateUpdated": "2025-04-04T04:35:49.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40746 (GCVE-0-2024-40746)
Vulnerability from cvelistv5 – Published: 2024-10-21 16:16 – Updated: 2025-03-20 04:35
VLAI
Title
Extension - hikashop.com - Stored cross site scripting vulnerability in Hikashop component for Joomla < 5.1.1
Summary
A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component < 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hikashop.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | HikaShop component for Joomla |
Affected:
1.0.0-5.1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T16:45:48.170912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:18:03.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "com_osticky",
"product": "HikaShop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "1.0.0-5.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Catalin Iovita, https://github.com/cataliniovita"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component \u003c 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component \u003c 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised in the backend."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T04:35:06.479Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.hikashop.com/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - Stored cross site scripting vulnerability in Hikashop component for Joomla \u003c 5.1.1",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2024-40746",
"datePublished": "2024-10-21T16:16:32.627Z",
"dateReserved": "2024-07-09T16:16:21.865Z",
"dateUpdated": "2025-03-20T04:35:06.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38044 (GCVE-0-2023-38044)
Vulnerability from cvelistv5 – Published: 2023-08-07 16:51 – Updated: 2024-10-20 04:33
VLAI
Title
Extension - hikashop.com - SQLi in HikaShop component for Joomla <= 4.7.2
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.hikashop.com/support/documentation/56… | vendor-advisory |
| https://extensions.joomla.org/vulnerable-extensio… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hikashop.com | HikaShop component for Joomla |
Affected:
4.0.0-4.7.2
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:13.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.hikashop.com/support/documentation/56-hikashop-changelog.html"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://extensions.joomla.org/vulnerable-extensions/resolved/hikashop-versions-from-4-4-1-to-4-7-2-are-affected-sql-injection/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:19:20.551060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:19:36.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://extensions.joomla.org/extension/hikashop/",
"defaultStatus": "unaffected",
"packageName": "com_hikashop",
"product": "HikaShop component for Joomla",
"vendor": "hikashop.com",
"versions": [
{
"status": "affected",
"version": "4.0.0-4.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishal Saini and Siva Pothuluru S (Team Payatu)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability allows SQL Injection."
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability allows SQL Injection."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T04:33:21.414Z",
"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"shortName": "Joomla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hikashop.com/support/documentation/56-hikashop-changelog.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://extensions.joomla.org/vulnerable-extensions/resolved/hikashop-versions-from-4-4-1-to-4-7-2-are-affected-sql-injection/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Extension - hikashop.com - SQLi in HikaShop component for Joomla \u003c= 4.7.2",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
"assignerShortName": "Joomla",
"cveId": "CVE-2023-38044",
"datePublished": "2023-08-07T16:51:06.984Z",
"dateReserved": "2023-07-12T04:32:07.094Z",
"dateUpdated": "2024-10-20T04:33:21.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}