Impact
A successful exploit may allow an unauthenticated attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Solution
Upgrade to Tapatalk vBulletin 4.x plugin series 5.2.2 or higher.
Insight
Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls for unsubscribe_topic, unsubscribe_forum allowing unauthenticated users to inject arbitrary SQL commands.
Affected
Tapatalk for vBulletin 4.x plugin series 5.2.1 and below.
Detection
Check the version of Tapatalk vBulletin 4.x plugin.
References
Severity
Classification
-
CVE CVE-2014-2023 -
CVSS Base Score: 7.8
AV:N/AC:L/Au:N/C:C/I:N/A:N
Related Vulnerabilities
- Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
- Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
- Assesi 'bg' Parameter SQL Injection vulnerability
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- ARRIS 2307 Unprotected Web Console