CVE-2023-54357

Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration

CVSS 8.7 HIGHEPSS 0.3%CWE-203

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

19 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

Artio · Joomla! com_booking component

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/51595unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/51595 https://www.vulncheck.com/advisories/joomla-com-booking-information-disclosure-via-account-enumeration http://www.artio.net/http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download