Description

vBSEO is the leading SEO Plugin for vBulletin. There is a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.

Remediation

Upgrade to the latest version of vBSEO.

References

CVE-2012-5223

Related Vulnerabilities

PHP Use After Free Vulnerability (CVE-2016-9138)

Microsoft SQL Server Other Vulnerability (CVE-2000-0199)

Oracle JRE CVE-2020-2601 Vulnerability (CVE-2020-2601)

PleskWin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-11583)

Liferay version older than 7.0

Severity

High

Classification

CVE-2012-5223 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities