Tapatalk Blind SQL Injection Vulnerability Network Vulnerability

Impact

A successful exploit may allow an unauthenticated attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Solution

Upgrade to Tapatalk vBulletin 4.x plugin series 5.2.2 or higher.

Insight

Tapatalk for vBulletin 4.x does not properly sanitize some xmlrpc calls for unsubscribe_topic, unsubscribe_forum allowing unauthenticated users to inject arbitrary SQL commands.

Affected

Tapatalk for vBulletin 4.x plugin series 5.2.1 and below.

Detection

Check the version of Tapatalk vBulletin 4.x plugin.

References

http://www.securityfocus.com/bid/70418/
https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-2023

CVSS	Base Score: 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N

Related Vulnerabilities

Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability
'research_display.php' SQL Injection Vulnerability
AdaptBB Multiple Input Validation Vulnerabilities
ATutor password reminder SQL injection
AstroSPACES profile.php SQL Injection Vulnerability

Take action and discover your vulnerabilities