Unrated severityNVD Advisory· Published Jun 5, 2009· Updated Apr 23, 2026

CVE-2009-1940

Description

Cross-site scripting (XSS) vulnerability in the administrator panel in the com_users core component for Joomla! 1.5.x through 1.5.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joomla 1.5.x through 1.5.10 administrator panel XSS via com_users core component allows arbitrary script injection.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the administrator panel of the com_users core component in Joomla! versions 1.5.x through 1.5.10 [1]. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors [1][2]. The vulnerability was fixed in Joomla 1.5.11, released on June 5, 2009 [1].

Exploitation

The attacker does not need authentication to exploit this vulnerability, as the administrator panel is accessible after login, but references indicate remote attackers can trigger it via unspecified vectors [1][2]. No detailed exploit steps are disclosed in available references, but the low complexity suggests a crafted URL or form field can inject malicious script.

Impact

Successful exploitation leads to arbitrary web script or HTML execution in the context of the affected administrator panel [1][2]. This can result in session hijacking, credential theft, or defacement within the Joomla administrative interface, potentially compromising the entire site.

Mitigation

Upgrade to Joomla 1.5.11 or later, which contains the fix for this moderate-priority XSS issue [1]. No workaround details are provided in the available references [1][2]. The Joomla project strongly recommends immediate upgrade [1].

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Joomla/Joomla!11 versions
cpe:2.3:a:joomla:joomla:1.5:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:joomla:joomla:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla:1.5.9:*:*:*:*:*:*:*
Joomla/com_usersllm-create
Range: >= 1.5, < 1.5.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.joomla.org/security/news/295-20090601-core-comusers-xss.htmlnvdPatchVendor Advisory
osvdb.org/54869nvdPatch
www.securityfocus.com/bid/35189nvdExploitPatch
secunia.com/advisories/35278nvdVendor Advisory
www.joomla.org/announcements/release-news/5235-joomla-1511-security-release-now-available.htmlnvd
www.vupen.com/english/advisories/2009/1497nvd
exchange.xforce.ibmcloud.com/vulnerabilities/50924nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000