It has been reported that Mambo Open Source may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute arbitrary HTML or script code in a user's browser. The issue exists in the 'Itemid' parameter of 'index.php' script.
Mambo Open Source version 4.6 has been reported to be prone to this issue, however, other versions may be affected has well.
Mambo Open Source mod_mainmenu.php Itemid Parameter XSS
Remote / Network Access
Loss of Integrity
Mambo Open Source contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Itemid"
variable upon submission to the mod_mainmenu.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 4.5 (1.0.2) or higher, as it has been reported to fix this
vulnerability. An upgrade is required as there are no known workarounds.