vBulletin 5.5.4 SQL Injection

2019.10.08
Credit: EgiX
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

---------------------------------------------------- vBulletin <= 5.5.4 Two SQL Injection Vulnerabilities ---------------------------------------------------- [-] Software Link: https://www.vbulletin.com/ [-] Affected Versions: Version 5.5.4 and prior versions. [-] Vulnerabilities Description: 1) User input passed through keys of the "where" parameter to the "ajax/api/hook/getHookList" endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the "canadminproducts" or "canadminstyles" permission. 2) User input passed through keys of the "where" parameter to the "ajax/api/widget/getWidgetList" endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the "canusesitebuilder" permission. [-] Solution: Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or later. [-] Disclosure Timeline: [30/09/2019] - Vendor notified [03/10/2019] - Patch released: https://bit.ly/2OptAzI [07/10/2019] - CVE number assigned [07/10/2019] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-17271 to these vulnerabilities. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-01


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top