CVE-2023-54357

HIGH

Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-54357. PoCs published by qw3rTyTy.

AI-analyzed exploit summary This exploit demonstrates an information leak vulnerability in Joomla! com_booking component 2.4.9, allowing unauthenticated attackers to enumerate user accounts by brute-forcing user IDs via a crafted GET request.

Description

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

Exploits (1)

exploitdb WORKING POC

by qw3rTyTy · pythonwebappsphp

https://www.exploit-db.com/exploits/51595

View Code ZIP pw:eip

This exploit demonstrates an information leak vulnerability in Joomla! com_booking component 2.4.9, allowing unauthenticated attackers to enumerate user accounts by brute-forcing user IDs via a crafted GET request.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Joomla! com_booking component 2.4.9

No auth needed

Prerequisites: Target running Joomla! with com_booking component 2.4.9 · Network access to the target

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 20, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-51595

https://www.exploit-db.com/exploits/51595

Product product

Official Product Homepage

http://www.artio.net/

Product product

Product Reference

http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download

Third Party Advisory third-party-advisory

VulnCheck Advisory: Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration

https://www.vulncheck.com/advisories/joomla-com-booking-information-disclosure-via-account-enumeration

Scores

CVSS v3 7.5

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-203

Status published

Products (1)

Artio/Joomla! com_booking component 2.4.9

Published Jun 19, 2026

Tracked Since Jun 20, 2026