CVE-2011-2509
Description
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla! before 1.6.4 contains multiple XSS vulnerabilities via unescaped parameters in core components.
Vulnerability
CVE-2011-2509 describes multiple cross-site scripting (XSS) vulnerabilities in Joomla! versions prior to 1.6.4. The flaws exist in several core components because user-supplied input is not properly sanitized before being reflected back to the browser. Affected components include com_contact (e.g., the Itemid parameter), com_content (e.g., the filter_order parameter), com_newsfeeds (via arbitrary query-string parameters), and com_search (the searchword parameter, exploitable only when Internet Explorer or Konqueror is used). Additionally, the option parameter in a reset.request action is also vulnerable [1][3][4].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing XSS payloads in the vulnerable parameters. No authentication or special network position is required; the attacker only needs to entice a victim to click the crafted link. The payload executes in the victim's browser within the context of the Joomla! site. For the com_search vector, the attack is effective only when the victim uses Internet Explorer or Konqueror due to differences in how those browsers handle input encoding [2][3][4].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies or login credentials. The impact is confined to the victim's interaction with the affected Joomla! instance [1][4].
Mitigation
The vulnerability was resolved in Joomla! version 1.6.4, which was released on July 19, 2011. Users should upgrade to Joomla! 1.6.4 or later. There is no known workaround for earlier versions other than applying the vendor-supplied patch [1][2]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/joomla-cmsPackagist | < 1.6.4 | 1.6.4 |
Affected products
48cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*+ 46 more
- cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*range: <=1.6.3
- cpe:2.3:a:joomla:joomla\!:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.15:rc:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.21:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.23:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:alpha:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:alpha2:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta10:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta11:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta12:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta13:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta14:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta15:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta5:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta6:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta7:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta8:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta9:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:rc1:*:*:*:*:*:*
- (no CPE)range: <1.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controllable input in query string parameters (QueryString, option, searchword) is not sanitized before being reflected in web page output across multiple core components."
Attack vector
An attacker crafts a malicious URL containing JavaScript payloads in unsanitized parameters and tricks a victim into clicking it. For com_contact, com_content, and com_newsfeeds, the payload is injected via the query string (e.g., the Itemid or filter_order parameter) [ref_id=1][ref_id=2]. For the reset.request action, the payload is placed in the option parameter [ref_id=2]. For com_search, the searchword parameter is vulnerable via a POST request, but only when the victim uses Internet Explorer or Konqueror [ref_id=2]. The injected script executes in the victim's browser within the context of the Joomla! site [CWE-79].
Affected code
The vulnerabilities exist in the Joomla! core components com_contact, com_content, com_newsfeeds, and com_search, all reachable via /index.php [ref_id=2]. The advisory identifies that parameters such as QueryString, option, and searchword are not properly sanitized before being reflected in output [ref_id=2][ref_id=3]. No patch files are included in the bundle, so the exact function names are not specified.
What the fix does
The advisory states that the solution is to upgrade to Joomla! 1.6.4 or higher [ref_id=2]. No patch diff is included in the bundle, so the specific code changes are not visible. The vendor released the fix on 2011-06-28, the same day the vulnerability was publicly disclosed [ref_id=2].
Preconditions
- inputThe victim must visit a crafted URL (or, for the com_search vector, submit a crafted POST request) while using a browser that does not provide additional encoding protections (Internet Explorer or Konqueror for the searchword vector).
- configThe Joomla! instance must be version 1.6.3 or lower.
- authNo authentication is required; the attack can be performed by an unauthenticated remote attacker.
Reproduction
1. For com_contact: visit `http://target/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.openwall.com/lists/oss-security/2011/06/28/4nvdExploitWEB
- www.openwall.com/lists/oss-security/2011/06/29/12nvdExploitWEB
- github.com/advisories/GHSA-vcq7-x4wr-w2mjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2509ghsaADVISORY
- developer.joomla.org/security/news/352-20110604-xss-vulnerability.htmlnvdWEB
- yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.6.3%5D_cross_site_scripting%28XSS%29nvdWEB
News mentions
0No linked articles in our index yet.