CVE-2010-1649
Description
Multiple cross-site scripting (XSS) vulnerabilities in the back end in Joomla! 1.5 through 1.5.17 allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "various administrator screens," possibly the search parameter in administrator/index.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in Joomla! 1.5 through 1.5.17 allow remote attackers to inject arbitrary web script or HTML via unknown vectors in the back-end administrator screens.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in the back end of Joomla! versions 1.5 through 1.5.17. The issue involves unknown vectors related to various administrator screens, with the search parameter in administrator/index.php being a possible attack surface [1].
Exploitation
A remote attacker can exploit these vulnerabilities by injecting arbitrary web script or HTML into the administrator interface. No authentication is explicitly required in the available references, but the attack targets the back-end screens, suggesting the attacker may need to trick an authenticated administrator into visiting a crafted link or the vulnerability may be reachable without prior authentication [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script or HTML in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other client-side attacks within the Joomla! administrative environment [1].
Mitigation
The Joomla! project addressed these vulnerabilities in version 1.5.18. Users are advised to upgrade to Joomla! 1.5.18 or later. No workarounds have been published for users unable to upgrade [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/joomla-cmsPackagist | >= 1.5, < 1.5.18 | 1.5.18 |
Affected products
20cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.9:*:*:*:*:*:*:*
- (no CPE)range: <=1.5.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- secunia.com/advisories/39964nvdVendor Advisory
- github.com/advisories/GHSA-fj57-vhrc-73r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-1649ghsaADVISORY
- developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.htmlghsaWEB
- developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.htmlnvdWEB
- web.archive.org/web/20200228225430/https://www.securityfocus.com/bid/40444ghsaWEB
- www.osvdb.org/65011nvd
- www.securityfocus.com/bid/40444nvd
News mentions
0No linked articles in our index yet.