Joomla Templates

I hate to bring the bad news but I found the following via google:
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009- 4573
xforce.iss.net/xforce/xfdb/55156

Multiple cross-site scripting (XSS) vulnerabilities in the Joomulus (mod_joomulus) module 2.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action to (1) tagcloud_ell.swf, (2) tagcloud_eng.swf, (3) tagcloud_por.swf, (4) tagcloud_rus.swf, and possibly (5) tagcloud_jpn.swf. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
It's just 14 days old so hopefully the author can fix this!

Usefull link: websecurity.com.ua/3789/

almost 2 monthes have passed, could anyone comment on this? is it true?

My colleague and brother is the developer of Joomulus so I am answering in his stead.

The first and most important point is that to our knowledge this possible exploit is not proven and we hae not heard of anyone actually suffering an attack via this method.

We have been in discussions with Roy Tanck - the developer of the original Wordpress Cumulus tag cloud - and his cloud supposedly had the same vulnerability.

Roy has come to the same conclusion we have which is that the exploit seems to be theoretical and indeed extremely hard to pull off.

Roy has not come across a single example of a site being maliciously attacked with this exploit - and neither have we.

That said, we do have some minor tweaks to Joomulus to be released in the very near future (probably this week) that will provide some additional security.