Main Vulnerability Database Exploits ID:1041 - Exploit for SQL injection in vBulletin - CVE-2016-6195

ID:1041 - Exploit for SQL injection in vBulletin - CVE-2016-6195

Published: March 18, 2020

Vulnerability identifier: #VU5836

Vulnerability risk: Critical

CVE-ID: CVE-2016-6195

CWE-ID: CWE-89

Exploitation vector: Remote access

Vulnerable software:
vBulletin

Link to public exploit:

https://www.exploit-db.com/exploits/40751/

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists due to insufficient sanitization of user-supplied data in "postids" parameter within "forumrunner/includes/moderation.php" script. A remote attacker can send specially crafted HTTP request vulnerable script and execute arbitrary SQL commands in the back-end database.

Successful exploitation may allow an attacker to gain unauthorized access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website:
http://members.vbulletin.com/patches.php

ID:1041 - Exploit for SQL injection in vBulletin - CVE-2016-6195

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human