CVE-2018-6582 in Zh GoogleMap
Summary
by MITRE
SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/05/2025
The vulnerability CVE-2018-6582 represents a critical sql injection flaw within the Zh GoogleMap component version 8.4.0.0 for Joomla! platforms. This security weakness specifically manifests through improper input validation of the id parameter in four distinct API endpoints including getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, and getPathDetails. The vulnerability falls under the category of CWE-89 SQL Injection as defined by the Common Weakness Enumeration framework, which categorizes this as a persistent and dangerous flaw that allows attackers to manipulate database queries through malicious input.
The technical exploitation of this vulnerability occurs when an attacker submits crafted sql payload through the vulnerable id parameter in any of the mentioned API calls. The component fails to properly sanitize or escape user input before incorporating it into database queries, creating a direct pathway for malicious sql commands to be executed against the underlying database. This flaw is particularly dangerous because it affects the core database interaction mechanisms of the Joomla! component, potentially allowing unauthorized access to sensitive data stored within the application's database.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the capability to perform complete database manipulation including data extraction, modification, or deletion. An attacker could leverage this vulnerability to escalate privileges, gain administrative access to the Joomla installations using the specific Zh GoogleMap component version 8.4.0.0, making it particularly concerning for organizations with widespread deployments of this particular plugin.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1071.004 Application Layer Protocol: DNS where attackers might use the compromised database to further their objectives. The vulnerability demonstrates poor input validation practices that violate fundamental security principles and could be exploited as part of broader attack chains targeting web applications. Organizations should immediately implement patch management procedures to upgrade to the patched version of the Zh GoogleMap component and conduct thorough security assessments of their Joomla! installations. Additionally, implementing proper parameterized queries, input validation, and web application firewalls can provide additional defense-in-depth measures against similar sql injection attacks. The vulnerability also highlights the importance of regular security audits and vulnerability scanning of third-party components to identify and remediate security flaws before they can be exploited by malicious actors.