vBulletin <= 5.5.4 Two SQL Injection Vulnerabilities

https://www.vbulletin.com/

• Affected Versions:

Version 5.5.4 and prior versions.

• Vulnerabilities Description:

  1. User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.

  2. User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

• Solution:

Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or later.

• Disclosure Timeline:

[30/09/2019] – Vendor notified

[03/10/2019] – Patch released: https://bit.ly/2OptAzI

[07/10/2019] – CVE number assigned

[07/10/2019] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-17271 to these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano.