CVE-2010-0800 in Com Dms
Summary
by MITRE
SQL injection vulnerability in the Ossolution Team Documents Seller (aka DMS) (com_dms) component 2.5.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a view_category action to index.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
The vulnerability identified as CVE-2010-0800 represents a critical sql injection flaw within the ossolution team documents seller component for joomla cms version 2.5.1. This component, known as com_dms, exposes a dangerous input validation weakness that allows remote attackers to manipulate database queries through crafted malicious input. The vulnerability specifically manifests when processing the category_id parameter within the view_category action of the index.php script, creating an avenue for unauthorized database access and potential system compromise.
The technical flaw stems from insufficient input sanitization and parameter handling within the com_dms component's database query construction logic. When the category_id parameter is passed through the view_category action without proper validation or escaping, the application directly incorporates user-supplied data into sql statements. This primitive approach to query building violates fundamental security principles and creates a pathway for attackers to inject malicious sql code that executes with the privileges of the web application's database user account. The vulnerability aligns with CWE-89 which categorizes sql injection as a critical weakness in software applications where untrusted data is directly included in sql commands without proper sanitization.
The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise. Remote attackers can leverage this weakness to execute arbitrary sql commands, potentially gaining access to sensitive user data, modifying database content, creating new database users, or even escalating privileges to system level access. The attack surface is particularly concerning as it affects a widely used joomla component, making it a prime target for automated exploitation tools. Successful exploitation could result in data breaches, service disruption, and potential lateral movement within network environments where joomla installations are deployed.
Mitigation strategies for CVE-2010-0800 must address both immediate remediation and long-term security hardening. The primary solution involves applying the official security patch released by the ossolution team or upgrading to a patched version of the com_dms component. Organizations should implement proper input validation and parameterized queries to prevent similar vulnerabilities from occurring in other parts of their applications. Database access controls should be reviewed to ensure the web application's database user account has minimal required privileges. Additionally, implementing web application firewalls and intrusion detection systems can provide additional layers of protection against sql injection attempts. This vulnerability demonstrates the importance of following secure coding practices and adheres to ATT&CK technique T1190 which describes the exploitation of sql injection vulnerabilities to gain unauthorized access to databases. Organizations should conduct comprehensive security assessments to identify similar vulnerabilities in other joomla components and third-party extensions that may be susceptible to the same class of attacks.