SQL Injection Vulnerability in vBulletin 5.5.4 - vBulletin
CVE-2019-17271

4.9MEDIUM

Key Information:

Vendor: Vbulletin
Status: Vbulletin
Vendor: CVE Published:; 8 October 2019

What is CVE-2019-17271?

vBulletin 5.5.4 is susceptible to SQL Injection attacks through the endpoints ajax/api/hook/getHookList and ajax/api/widget/getWidgetList. Attackers can exploit this vulnerability by manipulating parameters, potentially leading to unauthorized access to the database and exposing sensitive user information. It is critical for users of vBulletin 5.5.4 to apply updates and implement security measures to mitigate the risk.

References

https://forum.vbulletin.com/forum/vbulletin-announcements...

x_refsource_MISC

http://packetstormsecurity.com/files/154758/vBulletin-5.5...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2019
Vulnerability Reserved
Oct 7, 2019

Vbulletin

What is CVE-2019-17271?

References

CVSS V3.1

Timeline