vendor:
vBulletin
by:
ROOT_EGY
6,5
CVSS
MEDIUM
SQL injection
89
CWE
Product Name: vBulletin
Affected Version From: 2.3
Affected Version To: 2.*.*
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
vbulletin Vulnerability versions 2.3 .* – SQL injection
A vulnerability exists in the validation of input data in 'calendar.php' of vBulletin Version 2.3 which allows an attacker to send SQL requests to the server. An example of such an attack is www.server.som/forumpath/calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies, public, userid, '0000-0-0 ', version (), userid FROM calendar_events WHERE eventid = 14) order by eventdate. Additionally, a vulnerability to Version 2 .*.* exists which introduces XSS script tag e-mail.
Mitigation:
Input validation should be used to prevent SQL injection attacks. Additionally, XSS attacks should be prevented by sanitizing user input.
