Latest Security News about vbulletin

vBulletin 5.5.4 allows Two SQL Injection Vulnerabilities

Overview : vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. Affected Product(s) : vBulletin 5.5.4 Vulnerability Details : CVE ID : CVE-2019-17271 1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited […]

Exploitation in vBulletin allows remote command execution

Overview : vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. Affected Product(s) : vBulletin 5.x through 5.5.4 Vulnerability Details : CVE ID : CVE-2019-16759 A specific utility may allow an attacker to gain remote command execution to privileged files. Solution : Updates are available by contacting […]