Description

An SQL injection vulnerability affects vBulletin 5.6.1 and earlier versions. The SQL injection vulnerability affects the vBulletin endpoint /ajax/api/content_infraction/getIndexableContent and can be exploited via the POST parameter nodeId[nodeid].

The following patches are available for the following versions of vBulletin Connect:

  • 5.6.1 Patch Level 1
  • 5.6.0 Patch Level 1
  • 5.5.6 Patch Level 1

If you are using a version of vBulletin 5 Connect prior to 5.5.6, it is imperative that you upgrade as soon as possible.

Remediation

Upgrade to the latest version of vBulletin 5.

References

vBulletin 5.6.1 - nodeId SQL Injection

vBulletin 5.5.6, 5.6.0, 5.6.1 Security Patch Level 1

Quick Overview: Upgrading vBulletin Connect

Related Vulnerabilities

WordPress Plugin FV Flowplayer Video Player SQL Injection (7.5.15.727)

WordPress Plugin UiPress lite-Effortless custom dashboards, admin themes and pages SQL Injection (3.4.06)

WordPress Plugin Asgaros Forum Multiple SQL Injection Vulnerabilities (1.15.12)

WordPress Plugin WooCommerce SQL Injection (5.5.0)

WordPress Plugin WP Post Page Clone SQL Injection (1.0)

Severity

High

Classification

CVE-2020-12720 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

SQL Injection