Description

An SQL injection vulnerability affects vBulletin 5.6.1 and earlier versions. The SQL injection vulnerability affects the vBulletin endpoint /ajax/api/content_infraction/getIndexableContent and can be exploited via the POST parameter nodeId[nodeid].

The following patches are available for the following versions of vBulletin Connect:

  • 5.6.1 Patch Level 1
  • 5.6.0 Patch Level 1
  • 5.5.6 Patch Level 1

If you are using a version of vBulletin 5 Connect prior to 5.5.6, it is imperative that you upgrade as soon as possible.

Remediation

Upgrade to the latest version of vBulletin 5.

References

vBulletin 5.6.1 - nodeId SQL Injection

vBulletin 5.5.6, 5.6.0, 5.6.1 Security Patch Level 1

Quick Overview: Upgrading vBulletin Connect

Related Vulnerabilities

WordPress Plugin LayerSlider SQL Injection (7.10.0)

WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease SQL Injection (4.1.4)

Joomla! Core 3.x.x SQL Injection (3.5.0 - 3.8.5)

WordPress Plugin Wp custom slider SQL Injection (1.6.2)

WordPress 2.0.6 'Zend_Hash_Del_Key_Or_Index' SQL Injection Vulnerability (0.6.2 - 2.0.6)

Severity

High

Classification

CVE-2020-12720 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

SQL Injection