CVE-2008-6299
Description
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5.7 and earlier allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) the title and description parameters to the com_weblinks module and (2) unspecified vectors in the com_content module related to "article submission."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla 1.5.7 and earlier contain XSS in com_weblinks (title/description) and com_content (article submission), fixed in 1.5.8.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Joomla! versions 1.5.7 and earlier. The flaws reside in the com_weblinks module, where the title and description parameters are not properly sanitized, and in the com_content module via unspecified vectors related to article submission [1]. The Joomla Project confirmed these as moderate-level security issues in the 1.5.8 release announcement [1].
Exploitation
An authenticated remote attacker with certain privileges, such as the ability to submit web links or create articles, can inject arbitrary web script or HTML into the affected parameters. The attacker does not require any special network position beyond standard web access to the Joomla site. No user interaction beyond a victim viewing the crafted content is needed [1].
Impact
Successful exploitation leads to arbitrary script execution in the context of the victim's browser, which can result in session hijacking, credential theft, or defacement. The attacker gains the ability to perform actions on behalf of the victim within the Joomla application, potentially compromising sensitive data or administrative access [1].
Mitigation
Joomla 1.5.8 [Wohnaiki], released on 10 November 2008, contains the fixes for these XSS issues by implementing default filtering for content and filtering for weblink descriptions [1]. Users should upgrade to version 1.5.8 or later. There are no known workarounds provided for unpatched versions; upgrading is the only recommended mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
36cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*range: <=1.5.7
- cpe:2.3:a:joomla:joomla:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.03:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0:beta:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0_beta:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0_beta1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0_beta2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5rc3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5rc4:*:*:*:*:*:*:*
- (no CPE)range: <=1.5.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- developer.joomla.org/security/news/283-20081101-core-comcontent-xss-vulnerability.htmlnvdPatchVendor Advisory
- developer.joomla.org/security/news/284-20081102-core-comweblinks-xss-vulnerability.htmlnvdPatchVendor Advisory
- secunia.com/advisories/32622nvdVendor Advisory
- www.vupen.com/english/advisories/2008/3104nvdVendor Advisory
- www.joomla.org/announcements/release-news/5219-joomla-158-released.htmlnvd
- www.securityfocus.com/bid/32263nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/46523nvd
News mentions
0No linked articles in our index yet.