Mambo

mambo

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2011-2917 1Mambo Foundation 1Mambo Apr 29, 2026 Dec 8, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in administrator/index2.php in Mambo CMS 4.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the zorder parameter.
CVE-2011-3754 1Mambo Foundation 1Mambo Apr 29, 2026 Sep 23, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Mambo 4.6.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/sef.php and certain other file...Show more Mambo 4.6.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/sef.php and certain other files.Show less
CVE-2008-7215 2Brilaps Mambo Foundation 2Mambo Mostlyce Apr 23, 2026 Sep 11, 2009 N/A· v4 N/A· v3 5.8 MEDIUM· v2 The Image Manager in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to rename arbitrary files and cause a denial of service via modified file[NewFile][name], file[NewFile][tmp_name], and...Show more The Image Manager in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to rename arbitrary files and cause a denial of service via modified file[NewFile][name], file[NewFile][tmp_name], and file[NewFile][size] parameters in a FileUpload command, which are used to modify equivalent variables in $_FILES that are accessed when the is_uploaded_file check fails.Show less
CVE-2008-7214 2Brilaps Mambo Foundation 2Mambo Mostlyce Apr 23, 2026 Sep 11, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests...Show more Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php.Show less
CVE-2008-7213 2Brilaps Mambo Foundation 2Mambo Mostlyce Apr 23, 2026 Sep 11, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to injec...Show more Cross-site scripting (XSS) vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to inject arbitrary web script or HTML via the Command parameter.Show less
CVE-2008-7212 2Brilaps Mambo Foundation 2Mambo Mostlyce Apr 23, 2026 Sep 11, 2009 N/A· v4 N/A· v3 5.0 MEDIUM· v2 MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to obtain sensitive information via certain requests to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php...Show more MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to obtain sensitive information via certain requests to mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php, which reveals the installation path in an error message.Show less
CVE-2008-2498 1Mambo Foundation 1Mambo Apr 23, 2026 May 28, 2008 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOT...Show more Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOTE: some of these details are obtained from third party information.Show less
CVE-2008-2497 1Mambo Foundation 1Mambo Apr 23, 2026 May 28, 2008 N/A· v4 N/A· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in Mambo before 4.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2006-1957 2Joomla Mambo Foundation 2Joomla Mambo Apr 16, 2026 Apr 21, 2006 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed par...Show more The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remote attackers to cause a denial of service (disk consumption and possibly web-server outage) via multiple requests with different values of the feed parameter.Show less