Summary
vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Note that to succeed, the attacker must have an administrative account with 'calendar' administrator access.
vBulletin 3.7.3.pl1 is vulnerable
other versions may also be affected.
Solution
Upgrade to newest Version of VBulletin.
Severity
Classification
-
CVE CVE-2008-6256 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
- Advanced Image Hosting Cross Site Scripting Vulnerability
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability