vBulletin 5.5.4 allows Two SQL Injection Vulnerabilities

Overview :
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
Affected Product(s) :
  • vBulletin 5.5.4
Vulnerability Details :
CVE ID : CVE-2019-17271
1) User input passed through keys of the “where” parameter to
the “ajax/api/hook/getHookList” endpoint is not properly validated
before being used in an SQL query. This can be exploited to e.g.
read sensitive data from the database through in-band SQL injection
attacks. Successful exploitation of this vulnerability requires an
user account with the “canadminproducts” or “canadminstyles” permission.2) User input passed through keys of the “where” parameter to
the “ajax/api/widget/getWidgetList” endpoint is not properly validated
before being used in an SQL query. This can be exploited to e.g.
read sensitive data from the database through time-based SQL injection
attacks. Successful exploitation of this vulnerability requires an
user account with the “canusesitebuilder” permission.

Solution :
Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or
later.

Facebook
Twitter
LinkedIn

Recent Blog Posts

Top 7 Cloud DDoS Protection Providers for 2025
10 Best Data Loss Prevention (DLP) Tools for 2025
Top Cybersecurity Compliance Standards in 2025
Best End-to-End Encryption Tools for 2025
Top 6 WAF Alternatives for Cloud-Native Apps

WAF Solution