CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17271 – vBulletin 5.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2019-17271
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. vBulletin versión 5.5.4, permite la inyección de SQL por medio del parámetro where del archivo ajax/api/hook/getHookList o ajax/api/widget/getWidgetList. vBulletin versions 5.5.4 and below suffer from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/154758/vBulletin-5.5.4-SQL-Injection.html https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 13%CPEs: 1EXPL: 1CVE-2019-17132 – vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-17132
vBulletin through 5.5.4 mishandles custom avatars. vBulletin versiones hasta 5.5.4, maneja inapropiadamente los avatars personalizados. vBulletin versions 5.5.4 and below suffers from an updateAvatar remote code execution vulnerability. • https://www.exploit-db.com/exploits/47475 http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Oct/9 https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17131
https://notcve.org/view.php?id=CVE-2019-17131
vBulletin before 5.5.4 allows clickjacking. vBulletin versiones anteriores a 5.5.4, permite llevar a cabo el secuestro del cliqueo. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4421373-vbulletin-connect-5-5-4-is-now-available-for-download • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17130
https://notcve.org/view.php?id=CVE-2019-17130
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. vBulletin versiones hasta 5.5.4, maneja inapropiadamente las URL externas dentro del archivo /core/vb/vurl.php y los directorios /core/vb/vurl. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423391-vbulletin-5-5-5-alpha-4-available-for-download • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 21CVE-2019-16759 – vBulletin PHP Module Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-16759
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. vBulletin versiones 5.x hasta 5.5.4, permite la ejecución de comandos remota por medio del parámetro widgetConfig[code] en una petición routestring del archivo ajax/render/widget_php. The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. • https://www.exploit-db.com/exploits/47437 https://www.exploit-db.com/exploits/47447 https://github.com/jas502n/CVE-2019-16759 https://github.com/M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit https://github.com/0xdims/CVE-2019-16759 https://github.com/nako48/CVE-2019-16759 https://github.com/FarjaalAhmad/CVE-2019-16759 https://github.com/r00tpgp/http-vuln-CVE-2019-16759 https://github.com/fxp0-4tx/CVE-2019-16759 https://github.com/sunian19/CVE-2019-16759 https:/ • CWE-94: Improper Control of Generation of Code ('Code Injection') •