CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 2CVE-2008-7214
https://notcve.org/view.php?id=CVE-2008-7214
Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en administrator/index2.php en MOStlyCE anterior a la v2.4, como la usada en Mambo v4.6.3, permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que añaden nuevas cuentas de administradores a través de una tarea guardada en una acción com_users, como se demostró usando una vulnerabilidad cross site scripting (XSS) separada en mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php. • http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html http://forum.mambo-foundation.org/showthread.php?t=10158 http://osvdb.org/42531 http://secunia.com/advisories/28670 http://www.bugreport.ir/index_33.htm http://www.securityfocus.com/archive/1/487128/100/200/threaded http://www.vupen.com/english/advisories/2008/0325 https://exchange.xforce.ibmcloud.com/vulnerabilities/39985 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 1CVE-2008-7212
https://notcve.org/view.php?id=CVE-2008-7212
MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to obtain sensitive information via certain requests to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php, which reveals the installation path in an error message. MOStlyCE anteriores a la v2.4, como la usada en Mambo v4.6.3 y anteriores, permiten a atacantes remotos obtener información sensible a través de determinadas peticiones sobre mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php el cual revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html http://forum.mambo-foundation.org/showthread.php?t=10158 http://osvdb.org/42529 http://secunia.com/advisories/28670 http://www.bugreport.ir/index_33.htm http://www.securityfocus.com/archive/1/487128/100/200/threaded http://www.vupen.com/english/advisories/2008/0325 https://exchange.xforce.ibmcloud.com/vulnerabilities/39983 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2008-6481 – Joomla! Component versioning 1.0.2 - 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2008-6481
SQL injection vulnerability in the Versioning component (com_versioning) 1.0.2 in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task to index.php. Vulnerabilidad de inyección SQL en el componente Versioning (com_versioning) v1.0.2 en Joomla! y Mambo permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "id" en una tarea de edición en index.php. • https://www.exploit-db.com/exploits/5989 http://www.securityfocus.com/bid/30050 https://exchange.xforce.ibmcloud.com/vulnerabilities/43526 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 2CVE-2008-6234 – Mambo Component com_Musica - 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2008-6234
SQL injection vulnerability in the com_musica module in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. Vulnerabilidad de inyeccion SQL en modulo de Joomla! com_musica y Mambo lo que permite a atacantes remotos ejecutar comandos SQL a su eleccion a traves del parametro "id" en index.php • https://www.exploit-db.com/exploits/5207 http://www.securityfocus.com/archive/1/488996/100/0/threaded http://www.securityfocus.com/bid/28061 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2009-0380 – Mambo Component SOBI2 RC 2.8.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2009-0380
SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2 ** CUESTIONADA ** Una vulnerabilidad de inyección de SQL en el componente de Joomla! y Mambo Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetro bid en una acción showbiz a index.php, un vector diferente que CVE-2008-0607. NOTA: CVE discute de este problema, ya que ni "showbiz" ni "bid" aparece en el código fuente de SOBI2. • https://www.exploit-db.com/exploits/7841 http://www.attrition.org/pipermail/vim/2009-January/002136.html http://www.securityfocus.com/bid/33378 https://exchange.xforce.ibmcloud.com/vulnerabilities/48131 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •