CVE-2017-15966 in Zh YandexMap
Summary
by MITRE
The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/07/2025
The vulnerability identified as CVE-2017-15966 affects the Zh YandexMap component version 6.1.1.0 within the Joomla websites, enabling users to display interactive maps with custom placemarks and markers. The vulnerability manifests as a SQL injection flaw that can be exploited through the placemarklistid parameter in the index.php script, representing a critical security weakness that compromises the integrity and confidentiality of affected systems.
The technical flaw stems from insufficient input validation and sanitization within the component's parameter handling mechanism. When the placemarklistid parameter is processed, the application fails to properly escape or validate user-supplied input before incorporating it into database queries. This allows malicious actors to inject arbitrary SQL commands through crafted input values that manipulate the database query execution flow. The vulnerability specifically targets the component's handling of placemark list identifiers, which are used to retrieve and display specific map placemarks from the backend database. Attackers can exploit this weakness to execute unauthorized database operations including data retrieval, modification, or deletion, potentially leading to complete database compromise.
The operational impact of this vulnerability extends beyond simple data theft, as it enables attackers to gain unauthorized access to sensitive information stored within the Joomla installations using the specific Zh YandexMap component version, making it particularly dangerous for websites that rely on this mapping functionality. Given that many Joomla! sites use third-party components for enhanced functionality, this vulnerability represents a significant risk to web application security and could lead to widespread compromise across multiple websites. The attack vector is relatively straightforward, requiring only a simple HTTP request with malicious input to the vulnerable parameter, making it accessible to attackers with basic technical skills.
Mitigation strategies for this vulnerability should prioritize immediate component updates to versions that address the SQL injection flaw, as the vendor likely released patches to resolve the issue. System administrators should implement proper input validation and parameter sanitization measures to prevent similar vulnerabilities in custom code implementations. Additionally, database access controls should be reviewed and restricted to minimize potential damage from successful exploitation attempts. The vulnerability aligns with CWE-89, which classifies SQL injection as a critical weakness in software applications, and maps to ATT&CK technique T1071.004 for application layer protocol manipulation. Organizations should also consider implementing web application firewalls and database activity monitoring to detect and prevent exploitation attempts, while maintaining comprehensive backup and recovery procedures to ensure business continuity in case of successful attacks.