Joomla SP Movie Database Unauthenticated SQL Injection (CVE-2017-20266)

CVE-2017-20266 is an SQL injection vulnerability impacting Joomla SP Movie Database component version 1.3. This flaw allows unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability specifically resides in the searchword parameter within the searchresults view. Attackers can craft malicious SQL payloads and embed them in GET requests, enabling them to bypass authentication and extract sensitive information directly from the database. While the CVE was recently published to NVD (June 2026), the exploit itself dates back to 2017. Organizations using Joomla with the SP Movie Database component are advised to immediately verify their version and apply necessary patches or mitigations to prevent data breaches and unauthorized access.

Attack Chain

1. Reconnaissance: An unauthenticated attacker identifies a public-facing Joomla instance running the vulnerable SP Movie Database component version 1.3.
2. Vulnerability Identification: The attacker identifies the CVE-2017-20266 vulnerability affecting the searchword parameter within the searchresults view.
3. Initial Access: The attacker sends a specially crafted, unauthenticated HTTP GET request to the Joomla application, targeting the searchresults view (e.g., /index.php?option=com_spmoviedb&view=searchresults).
4. Exploitation: The GET request includes a malicious SQL payload injected into the searchword parameter (e.g., searchword=' OR 1=1 UNION SELECT USER(), DATABASE(), VERSION()--).
5. Command and Control: The application processes the request, and the injected SQL query is executed by the backend database.
6. Collection: The database's response, now containing sensitive information (like database user, name, or version), is returned within the web server's HTTP response.
7. Exfiltration: The attacker parses the HTTP response to extract the sensitive database information, which could include credentials, user data, or system configuration.
8. Impact: The exfiltrated data can be used for further attacks, such as lateral movement, unauthorized access to other systems, or selling stolen information.

Impact

Successful exploitation of CVE-2017-20266 can lead to severe consequences, primarily the unauthorized access and exfiltration of sensitive database information. This can include, but is not limited to, user credentials, personally identifiable information (PII), financial data, proprietary business data, and system configurations. The compromise of such data can result in significant financial losses, reputational damage, regulatory penalties, and further compromise of the affected organization's IT infrastructure. While specific victim counts are not available, any organization utilizing the affected version of Joomla SP Movie Database is at risk.

Recommendation

• Patch CVE-2017-20266 immediately: Upgrade Joomla SP Movie Database to a version patched against CVE-2017-20266 or remove the component if it is not essential.
• Deploy web server detection rules: Implement the provided Sigma rules to detect HTTP GET requests indicating attempts to exploit CVE-2017-20266.
• Enable web server logging: Ensure comprehensive logging for HTTP requests (method, URI, query parameters, status code) on web servers hosting Joomla applications to facilitate detection.
• Review database logs for unusual queries: Monitor database query logs for unusual or complex queries originating from the web application, especially those containing SQL keywords like UNION, SELECT, OR 1=1.