Vulnerability CVE-2016-6195
Published: 2016-08-30

Description:
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
vBulletin 4.2.3 SQL Injection
error1046
12.11.2016

Type:

CWE-89

 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Vbulletin -> Vbulletin 

 References:
http://www.securityfocus.com/bid/92687
http://www.vbulletin.org/forum/showthread.php?t=322848
https://enumerated.wordpress.com/2016/07/11/1/
https://github.com/drewlong/vbully
Copyright 2024, cxsecurity.com

 

Back to Top