VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 5, 2010· Updated Apr 29, 2026

CVE-2010-2535

CVE-2010-2535

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Back End in Joomla! 1.5.x before 1.5.20 allow remote authenticated users to inject arbitrary web script or HTML via administrator screens.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Joomla 1.5.x before 1.5.20 contains multiple XSS vulnerabilities in the Back End, allowing authenticated attackers to inject arbitrary web script or HTML via administrator screens.

Vulnerability

Joomla! 1.5.x versions before 1.5.20 contain multiple cross-site scripting (XSS) vulnerabilities in the Back End administrative interface. Insufficient input sanitization on parameters passed to pages related to administration settings allows injection of arbitrary web script or HTML [4]. The affected versions are Joomla! <= 1.5.19 [1][4].

Exploitation

An attacker must have a valid authenticated session as a Joomla administrator to reach the vulnerable screens. By crafting a malicious URL or form parameter and enticing an administrator to interact with it, the attacker can inject arbitrary JavaScript into the context of the administrator session [2]. The injection occurs on administrator-facing pages, not on public-facing content [1][4].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim administrator's session. This could be used to hijack the session, deface administrative pages, or perform unauthorized actions with the administrator's privileges [2][4]. Impact is limited to the Back End; the attacker does not gain direct access to the server or database [4].

Mitigation

The vulnerability is fixed in Joomla! version 1.5.20, released on 15 July 2010 [3][4]. Administrators should upgrade to 1.5.20 or later. No workarounds are provided for versions 1.5.19 and earlier. The CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [2][3].

References
  1. security - Re: [oCERT-2010-002] Joomla input sanitization errors (XSS)
  2. security - [oCERT-2010-002] Joomla input sanitization errors (XSS)
  3. News
  4. oCERT archive

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

22
  • Joomla/Joomla!22 versions
    cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.15:rc:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.17:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.18:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.19:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:joomla:joomla\!:1.5.9:*:*:*:*:*:*:*
    • (no CPE)range: <1.5.20

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.