CVE-2011-2509

Name of the Vulnerable Software and Affected Versions Joomla! versions prior to 1.6.4

Description The issue allows remote attackers to inject arbitrary web script or HTML via various components, including (1) the com contact component, as demonstrated by the Itemid parameter to "index.php"; (2) the com content component, as demonstrated by the filter order parameter to "index.php"; (3) the com newsfeeds component, as demonstrated by an arbitrary parameter to "index.php"; or (4) the option parameter in a reset.request action to "index.php". Additionally, when using Internet Explorer or Konqueror, attackers can inject arbitrary web script or HTML via the searchword parameter in a search action to "index.php" in the com search component.

Recommendations For versions prior to 1.6.4, update to version 1.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the com contact, com content, com newsfeeds, and com search components until a patch is applied. Avoid using the Itemid, filter order, and searchword parameters in the affected API endpoints until the issue is resolved.