SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin Input Validation Flaw in 'ajax/render/memberlist_items' Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1030647
SecurityTracker URL:  http://securitytracker.com/id/1030647
CVE Reference:   CVE-2014-5102   (Links to External Site)
Date:  Jul 25 2014
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2
Description:   A vulnerability was reported in vBulletin. A remote user can inject SQL commands.

The 'ajax/render/memberlist_items' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The original advisory is available at:

http://packetstormsecurity.com/files/127537/vBulletin-5.1.2-SQL-Injection.html

Nytro from Romanian Security Team reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   The vendor has issued a patch.

The vendor's advisory is available at:

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

Vendor URL:  www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC