CVE-2008-7213 – Mambo Module MOStlyCE 2.4 - 'connector.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-7213
Cross-site scripting (XSS) vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to inject arbitrary web script or HTML via the Command parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php en MOStlyCE y anteriores a la v2.4, como la usada en Mambo v4.6.3 y anteriores, permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través del parámetro Command. • https://www.exploit-db.com/exploits/31066 http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html http://forum.mambo-foundation.org/showthread.php?t=10158 http://osvdb.org/42530 http://secunia.com/advisories/28670 http://www.bugreport.ir/index_33.htm http://www.securityfocus.com/archive/1/487128/100/200/threaded http://www.securityfocus.com/bid/27470 http://www.vupen.com/english/advisories/2008/0325 https://exchange.xforce.ibmcloud.com/vulnerabilities/39984 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-7212
https://notcve.org/view.php?id=CVE-2008-7212
MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to obtain sensitive information via certain requests to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php, which reveals the installation path in an error message. MOStlyCE anteriores a la v2.4, como la usada en Mambo v4.6.3 y anteriores, permiten a atacantes remotos obtener información sensible a través de determinadas peticiones sobre mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php el cual revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html http://forum.mambo-foundation.org/showthread.php?t=10158 http://osvdb.org/42529 http://secunia.com/advisories/28670 http://www.bugreport.ir/index_33.htm http://www.securityfocus.com/archive/1/487128/100/200/threaded http://www.vupen.com/english/advisories/2008/0325 https://exchange.xforce.ibmcloud.com/vulnerabilities/39983 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-6481 – Joomla! Component versioning 1.0.2 - 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2008-6481
SQL injection vulnerability in the Versioning component (com_versioning) 1.0.2 in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task to index.php. Vulnerabilidad de inyección SQL en el componente Versioning (com_versioning) v1.0.2 en Joomla! y Mambo permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "id" en una tarea de edición en index.php. • https://www.exploit-db.com/exploits/5989 http://www.securityfocus.com/bid/30050 https://exchange.xforce.ibmcloud.com/vulnerabilities/43526 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-6234 – Mambo Component com_Musica - 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2008-6234
SQL injection vulnerability in the com_musica module in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. Vulnerabilidad de inyeccion SQL en modulo de Joomla! com_musica y Mambo lo que permite a atacantes remotos ejecutar comandos SQL a su eleccion a traves del parametro "id" en index.php • https://www.exploit-db.com/exploits/5207 http://www.securityfocus.com/archive/1/488996/100/0/threaded http://www.securityfocus.com/bid/28061 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-0380 – Mambo Component SOBI2 RC 2.8.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2009-0380
SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2 ** CUESTIONADA ** Una vulnerabilidad de inyección de SQL en el componente de Joomla! y Mambo Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetro bid en una acción showbiz a index.php, un vector diferente que CVE-2008-0607. NOTA: CVE discute de este problema, ya que ni "showbiz" ni "bid" aparece en el código fuente de SOBI2. • https://www.exploit-db.com/exploits/7841 http://www.attrition.org/pipermail/vim/2009-January/002136.html http://www.securityfocus.com/bid/33378 https://exchange.xforce.ibmcloud.com/vulnerabilities/48131 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •