SQL injection vulnerability in the com_hbssearch component 1.0 in the Hotel Booking Reservation System (aka HBS) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the r_type parameter in a showhoteldetails action to index.php.
https://www.exploit-db.com/exploits/7538
https://exchange.xforce.ibmcloud.com/vulnerabilities/47539