CVE-2008-2905 – Mambo 4.6.4 - Cache Lite Output Remote File Inclusion
https://notcve.org/view.php?id=CVE-2008-2905
PHP remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. Vulnerabilidad de inclusión de archivo remoto en PHP en includes/Cache/Lite/Output.php en el paquete Cache_Lite de Mambo 4.6.4 y anteriores, cuando register_globals está habilitado, permite a atacantes remotos ejecutar código PHP de su elección mediante un URL en el parámetro mosConfig_absolute_path. • https://www.exploit-db.com/exploits/9906 https://www.exploit-db.com/exploits/16912 https://www.exploit-db.com/exploits/5808 http://secunia.com/advisories/30685 http://www.securityfocus.com/bid/29716 http://www.securitytracker.com/id?1020295 https://exchange.xforce.ibmcloud.com/vulnerabilities/43101 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-2497
https://notcve.org/view.php?id=CVE-2008-2497
CRLF injection vulnerability in Mambo before 4.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en Mambo anterior a 4.6.4, permite a atacantes inyectar arbitrariamente cabeceras HTTP y llevar a cabo respuestas HTTP dividiendo ataques a través de vectores no especificados. • http://forum.mambo-foundation.org/showthread.php?t=11799 http://secunia.com/advisories/30343 http://www.securityfocus.com/bid/29373 http://www.vupen.com/english/advisories/2008/1660/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42645 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-2498
https://notcve.org/view.php?id=CVE-2008-2498
Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de inyección SQL en index.php en Mambo anterior a 4.6.4, cuando magic_quotes_gpc están deshabilitadas, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) articleid y (2)mcname. NOTA: algunos de estos detalles has sido obtenidos a partir de información de terceros. • http://forum.mambo-foundation.org/showthread.php?t=11799 http://secunia.com/advisories/30343 http://www.securityfocus.com/bid/29373 http://www.vupen.com/english/advisories/2008/1660/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42644 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-0517 – Mambo Component EstateAgent 0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-0517
SQL injection vulnerability in index.php in the Darko Selesi EstateAgent (com_estateagent) 0.1 component for Mambo 4.5.x and Joomla! allows remote attackers to execute arbitrary SQL commands via the objid parameter in a contact showObject action. Vulnerabilidad de inyección SQL en idex.php en el componente Darko Selesi EstateAgent (com_estateagent) 0.1 para Mambo 4.5.x y Joomla!. Permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro objid en una acción de contacto showObject. • https://www.exploit-db.com/exploits/5016 http://www.securityfocus.com/bid/27520 http://www.vupen.com/english/advisories/2008/0362 https://exchange.xforce.ibmcloud.com/vulnerabilities/40060 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-0789
https://notcve.org/view.php?id=CVE-2007-0789
SQL injection vulnerability in Mambo before 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors in cancel edit functions, possibly related to the id parameter. Una vulnerabilidad de inyección SQL en Mambo versiones anteriores a 4.5.5, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de vectores no especificados en la cancelación de funciones edit, posiblemente relacionadas con el parámetro id. • http://mamboxchange.com/frs/shownotes.php?release_id=6232 http://osvdb.org/33088 http://secunia.com/advisories/24044 http://www.vupen.com/english/advisories/2007/0480 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •