Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-1794

Overview

Vulnerability Score 7.6 7.6
CVE Id CVE-2006-1794
Last Modified 07 Mar 2011 09:34:07
Published 17 Apr 2006 06:02:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2006-1794

Summary

SQL injection vulnerability in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via (1) the $username variable in the mosGetParam function and (2) the $task parameter in the mosMenuCheck function in (a) includes/mambo.php; and (3) the $filter variable to the showCategory function in the com_content component (content.php).

Vulnerable Systems

Application

  • Mambo 4.0.14

  • Mambo 4.5 1.0.0

  • Mambo 4.5 1.0.1

  • Mambo 4.5 1.0.2

  • Mambo 4.5 1.0.3 Beta

  • Mambo 4.5.1 1.0.9

  • Mambo 4.5.1a

  • Mambo 4.5.2

  • Mambo 4.5.2.1

  • Mambo 4.5.2.2

  • Mambo 4.5.2.3

  • Mambo 4.5.3h


References

BID - 16775

MISC - http://www.gulftech.org/?node=research&article_id=00104-02242006

CONFIRM - http://source.mambo-foundation.org/view/news/Announcements/Security_Patch_Released/

BUGTRAQ - 20060224 Mambo Multiple Vulnerabilities

VUPEN - ADV-2006-0719

OSVDB - 23503

OSVDB - 23402

SECUNIA - 18935

XF - mambo-index2-sql-injection(24951)


Last Updated: 27 May 2016 10:42:10