CVE-2010-3712
Description
Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x before 1.5.21 and 1.6.x before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving "multiple encoded entities," as demonstrated by the query string to index.php in the com_weblinks or com_content component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla! 1.5.x before 1.5.21 and 1.6.x before 1.6.1 contain a cross-site scripting (XSS) vulnerability via multiple encoded entities in the query string to index.php.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Joomla! versions 1.5.x prior to 1.5.21 and 1.6.x prior to 1.6.1. The flaw arises from improper sanitization of user-supplied input in the query string passed to index.php, specifically within the com_weblinks and com_content components. An attacker can inject arbitrary web script or HTML by utilizing multiple encoded entities, bypassing content filtering mechanisms [1][2][3][4].
Exploitation
An attacker does not need authentication; the vulnerability can be triggered by a remote, unauthenticated user. The attack vector involves crafting a malicious URL containing the encoded payload in the query string and tricking a victim into clicking it (e.g., via a phishing email or a link on another site). The encoded entities must be constructed to survive Joomla's output handling, ultimately being rendered as executable script in the victim's browser [1][2][3][4].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session on the affected Joomla site. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as login credentials. The impact is confined to the web application's security context and does not directly affect the server itself [1][2][3][4].
Mitigation
Joomla! has addressed this vulnerability in version 1.5.21 (for the 1.5.x branch) and version 1.6.1 (for the 1.6.x branch). Users should upgrade to these patched versions or later. No workarounds are documented in the available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2][3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.15:rc:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.9:*:*:*:*:*:*:*
- (no CPE)range: <1.5.21, <1.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The query string parameter was not properly sanitized upon submission to the /index.php URL, allowing multiple encoded entities to bypass filtering and inject arbitrary HTML/JavaScript."
Attack vector
An attacker crafts a URL containing multiple URL-encoded entities (e.g., %25%32%32%25%33%45%25%33%43) in the query string or path of index.php. When the server decodes the input, the double-encoding results in literal quote and angle-bracket characters that are not neutralized before being reflected in the page output [ref_id=1][ref_id=3]. The attack works against both SEO-enabled and SEO-disabled Joomla installations, targeting components such as com_weblinks and com_content [ref_id=1][ref_id=3]. The victim need only click the crafted link; no authentication is required to trigger the XSS [CWE-79].
Affected code
The advisory identifies the vulnerable entry point as /index.php, where the query string parameter was not properly sanitized [ref_id=1][ref_id=3]. Specific components named in the PoC URLs include com_weblinks and com_content [ref_id=1][ref_id=3]. The bundle does not include patch files or specific function names.
What the fix does
The advisory states that the vendor released a fix in Joomla! 1.6.1 (and earlier in 1.5.21) [ref_id=1][ref_id=3]. No patch diff is provided in the bundle, so the exact code change is not visible. The recommended remediation is to upgrade to Joomla! 1.6.1 or higher, which properly sanitizes query string input to prevent double-encoded entities from being reflected as executable script [ref_id=1][ref_id=3].
Preconditions
- networkAttacker must be able to deliver a crafted URL to the victim (e.g., via email, link, or web page).
- inputThe target Joomla instance must be version 1.5.x before 1.5.21 or 1.6.x before 1.6.1.
Reproduction
For SEO-enabled Joomla 1.6.0, visit a URL such as: http://target/index.php/%2522%253E%253Cimg%2520src%253Da%2520onerror%253Dalert(String.fromCharCode(88,83,83))%253E09739572178%252F [ref_id=1][ref_id=3]. For SEO-disabled Joomla 1.6.0, visit: http://target/index.php?option=com_weblinks&view=category&id=18&Itemid=227&a86a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9666d64388c=1 [ref_id=1][ref_id=3].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- developer.joomla.org/security/news/9-security/10-core-security/322-20101001-core-xss-vulnerabilitiesnvdVendor Advisory
- joomlacode.org/gf/project/joomla/tracker/nvd
- www.openwall.com/lists/oss-security/2010/10/08/4nvd
- www.openwall.com/lists/oss-security/2010/10/11/4nvd
- www.openwall.com/lists/oss-security/2011/03/13/8nvd
- www.openwall.com/lists/oss-security/2011/03/14/22nvd
- www.openwall.com/lists/oss-security/2011/03/18/3nvd
- www.openwall.com/lists/oss-security/2011/03/18/5nvd
- yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.5.20%5D_cross_site_scripting%28XSS%29nvd
News mentions
0No linked articles in our index yet.