CVE-2011-4332
Description
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla! 1.6.3 and earlier contain multiple XSS vulnerabilities in administrator screens, allowing remote attackers to inject arbitrary web script or HTML.
Vulnerability
Joomla! 1.6.3 and all earlier 1.6.x versions contain multiple cross-site scripting (XSS) vulnerabilities in various administrator screens [1][3]. The exact vectors are not disclosed in the available references, but the flaw allows injection of arbitrary web script or HTML [2].
Exploitation
An attacker must convince a privileged user (such as an administrator) to interact with a crafted link or view malicious content within the Joomla! admin interface [3]. No authentication is required for the initial injection, but the payload executes in the context of the victim's session [1].
Impact
Successful exploitation leads to arbitrary script execution in the browser of an authenticated administrator, potentially enabling theft of session cookies, defacement, or further compromise of the Joomla! site [2][3]. The impact is limited to the administrator's active session and browser [1].
Mitigation
Joomla! addressed these vulnerabilities in version 1.6.4, released on June 1, 2011 [2][3][4]. Users should upgrade to 1.6.4 or later. No workarounds are documented for unpatched versions [3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/joomla-cmsPackagist | < 1.6.4 | 1.6.4 |
Affected products
26cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*range: <=1.6.3
- cpe:2.3:a:joomla:joomla\!:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:alpha:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:alpha2:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta10:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta11:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta12:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta13:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta14:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta15:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta5:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta6:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta7:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta8:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:beta9:*:*:*:*:*:*
- cpe:2.3:a:joomla:joomla\!:1.6:rc1:*:*:*:*:*:*
- (no CPE)range: <=1.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-hq9x-8m8j-5hmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4332ghsaADVISORY
- developer.joomla.org/security/news/349-20110601-xss-vulnerabilities.htmlnvdWEB
- seclists.org/fulldisclosure/2011/Nov/142nvdWEB
- www.openwall.com/lists/oss-security/2011/11/21/29nvdWEB
- web.archive.org/web/20111115073609/http://www.mavitunasecurity.com/xss-vulnerability-in-joomla-163ghsaWEB
- www.mavitunasecurity.com/xss-vulnerability-in-joomla-163/nvd
News mentions
0No linked articles in our index yet.