vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
References
Link | Resource |
---|---|
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa | Patch Vendor Advisory |
http://packetstormsecurity.com/files/154758/vBulletin-5.5.4-SQL-Injection.html | Exploit Third Party Advisory VDB Entry |
Configurations
Information
Published : 2019-10-08 06:15
Updated : 2019-10-09 13:48
NVD link : CVE-2019-17271
Mitre link : CVE-2019-17271
JSON object : View
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Products Affected
vbulletin
- vbulletin