SQL Injection Vulnerability in vBulletin by Internet Brands
CVE-2016-6195

9.8CRITICAL

Key Information:

Vendor: Vbulletin
Status: Vbulletin
Vendor: CVE Published:; 30 August 2016

What is CVE-2016-6195?

A SQL injection vulnerability exists in vBulletin, specifically in the moderation script of the forum system, affecting versions prior to 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1. This vulnerability allows remote attackers to execute arbitrary SQL commands through the postids parameter in forumrunner/request.php. Exploitation of this flaw was reported in the wild in July 2016, highlighting the urgent need for users to apply recommended patches to safeguard against potential data breaches and unauthorized access.

References

https://github.com/drewlong/vbully

x_refsource_MISC

http://www.vbulletin.org/forum/showthread.php?t=322848

x_refsource_CONFIRM

http://www.securityfocus.com/bid/92687

vdb-entryx_refsource_BID

EPSS Score

85% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 30, 2016
Vulnerability Reserved
Jul 11, 2016

Vbulletin

What is CVE-2016-6195?

References

EPSS Score

CVSS V3.1

Timeline