CVE-2011-2917

Mambo < 4.6.5 - SQL Injection via zorder Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-2917. PoCs published by KraL BeNiM.

AI-analyzed exploit summary This is a writeup describing a SQL injection vulnerability in CMS 4.x.x (Mambo) via the 'zorder' parameter in administrator/index2.php. It provides the vulnerable URL and parameter but does not include executable exploit code.

Description

SQL injection vulnerability in administrator/index2.php in Mambo CMS 4.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the zorder parameter.

Exploits (1)

exploitdb WRITEUP
by KraL BeNiM · textwebappsphp
https://www.exploit-db.com/exploits/18110

This is a writeup describing a SQL injection vulnerability in CMS 4.x.x (Mambo) via the 'zorder' parameter in administrator/index2.php. It provides the vulnerable URL and parameter but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: CMS 4.x.x (Mambo)
Auth required
Prerequisites: access to the administrator panel · valid session or authentication
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/49130
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/08/12/6
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18110
Exploit vdb-entry x_refsource_osvdb
http://www.osvdb.org/74502

Scores

EPSS 0.0126
EPSS Percentile 65.9%

Details

CWE
CWE-89
Status published
Products (6)
mambo-foundation/mambo 4.6 (3 CPE variants)
mambo-foundation/mambo 4.6.1
mambo-foundation/mambo 4.6.2 (3 CPE variants)
mambo-foundation/mambo 4.6.3
mambo-foundation/mambo 4.6.4
mambo-foundation/mambo < 4.6.5
Published Dec 08, 2011
Tracked Since Feb 18, 2026