CVE-2008-2905 – Mambo 4.6.4 - Cache Lite Output Remote File Inclusion
https://notcve.org/view.php?id=CVE-2008-2905
PHP remote file inclusion vulnerability in includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 4.6.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. Vulnerabilidad de inclusión de archivo remoto en PHP en includes/Cache/Lite/Output.php en el paquete Cache_Lite de Mambo 4.6.4 y anteriores, cuando register_globals está habilitado, permite a atacantes remotos ejecutar código PHP de su elección mediante un URL en el parámetro mosConfig_absolute_path. • https://www.exploit-db.com/exploits/9906 https://www.exploit-db.com/exploits/16912 https://www.exploit-db.com/exploits/5808 http://secunia.com/advisories/30685 http://www.securityfocus.com/bid/29716 http://www.securitytracker.com/id?1020295 https://exchange.xforce.ibmcloud.com/vulnerabilities/43101 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-2497
https://notcve.org/view.php?id=CVE-2008-2497
CRLF injection vulnerability in Mambo before 4.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en Mambo anterior a 4.6.4, permite a atacantes inyectar arbitrariamente cabeceras HTTP y llevar a cabo respuestas HTTP dividiendo ataques a través de vectores no especificados. • http://forum.mambo-foundation.org/showthread.php?t=11799 http://secunia.com/advisories/30343 http://www.securityfocus.com/bid/29373 http://www.vupen.com/english/advisories/2008/1660/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42645 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-2498
https://notcve.org/view.php?id=CVE-2008-2498
Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de inyección SQL en index.php en Mambo anterior a 4.6.4, cuando magic_quotes_gpc están deshabilitadas, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) articleid y (2)mcname. NOTA: algunos de estos detalles has sido obtenidos a partir de información de terceros. • http://forum.mambo-foundation.org/showthread.php?t=11799 http://secunia.com/advisories/30343 http://www.securityfocus.com/bid/29373 http://www.vupen.com/english/advisories/2008/1660/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42644 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-0795 – Joomla! Component xfaq 1.2 - 'aid' SQL Injection
https://notcve.org/view.php?id=CVE-2008-0795
SQL injection vulnerability in index.php in the MGFi XfaQ (com_xfaq) 1.2 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an answer action. Vulnerabilidad de inyección SQL en en index,php en el componente MGFi XfaQ (com_xfaq) 1.2 de Mambo y Joomla! permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro aid en una acción de respuesta. • https://www.exploit-db.com/exploits/5109 http://www.securityfocus.com/bid/27784 https://exchange.xforce.ibmcloud.com/vulnerabilities/40494 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-0510 – Mambo Component 'com_newsletter' 4.5 - 'listid' SQL Injection
https://notcve.org/view.php?id=CVE-2008-0510
SQL injection vulnerability in index.php in the Newsletter (com_newsletter) component for Mambo 4.5 and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. Vulnerabilidad de inyección SQL en index.php en los componentes Newsletter (com_newsletter) para Mambo 4.5 y Joomla!. Permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro listid. • https://www.exploit-db.com/exploits/5007 http://www.securityfocus.com/bid/27502 http://www.vupen.com/english/advisories/2008/0354 https://exchange.xforce.ibmcloud.com/vulnerabilities/40036 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •