MidnightBSD

Advisories for mambo-foundation

CVE-2006-1957 MEDIUM

The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mambo-foundation mambo -
joomla joomla! *
CVE-2011-2917 HIGH

SQL injection vulnerability in administrator/index2.php in Mambo CMS 4.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the zorder parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mambo-foundation mambo 4.6.2
mambo-foundation mambo 4.6.4
mambo-foundation mambo 4.6.3
mambo-foundation mambo 4.6.1
mambo-foundation mambo 4.6
mambo-foundation mambo *
CVE-2011-3754 MEDIUM

Mambo 4.6.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/sef.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mambo-foundation mambo 4.6.5
CVE-2013-2562 LOW

Mambo CMS 4.6.5 stores the MySQL database password in cleartext in the document root, which allows local users to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
mambo-foundation mambo_cms 4.6.5
CVE-2013-2563 LOW

Mambo CMS 4.6.5 uses world-readable permissions on configuration.php, which allows local users to obtain the admin password hash by reading the file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mambo-foundation mambo_cms 4.6.5
CVE-2013-2564 MEDIUM

Mambo CMS 4.6.5 allows remote attackers to cause a denial of service (memory and bandwidth consumption) by uploading a crafted file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
mambo-foundation mambo_cms 4.6.5
CVE-2013-2565 MEDIUM

A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
mambo-foundation mambo_cms 4.6.5