Vulnerability CVE-2014-5102

Vulnerability CVE-2014-5102

Published: 2014-07-25 Modified: 2014-07-26

Description:

SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

See advisories in our WLB2 database:

	Topic	Author	Date
Med.	vBulletin 5.1.2 SQL Injection *youtube	RST	19.07.2014
Med.	vBulletin 5.1.2 SQL Injection Exploit	Nytro	22.07.2014

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Vbulletin -> Vbulletin

References:

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

http://www.securityfocus.com/bid/68709

http://www.pcworld.com/article/2455500/emergency-vbulletin-patch-fixes-dangerous-sql-injection-vulnerability.html

http://packetstormsecurity.com/files/127537/vBulletin-5.1.2-SQL-Injection.html

Vulnerability CVE-2014-5102

SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

See advisories in our WLB2 database:

Med.

vBulletin 5.1.2 SQL Injection *youtube

Med.

vBulletin 5.1.2 SQL Injection Exploit

CWE-89

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Remote

Low

No required

Partial

Partial

Partial

Affected software

References: