Skip to main content

Vbulletin CVE-2014-5102

HIGH
SQL Injection (CWE-89)
2014-07-25 cve@mitre.org
7.5
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
Low
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Jul 25, 2014 - 19:55 cve.org
HIGH 7.5

DescriptionCVE.org

SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

AnalysisAI

SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. Affected products include: Vbulletin. Version information: through 5.1.3.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-48827 CRITICAL POC
10.0 May 27

vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted t

CVE-2016-6195 CRITICAL POC
9.8 Aug 30

SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 bef

CVE-2025-48828 CRITICAL POC
9.0 May 27

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protec

CVE-2015-7808 HIGH POC
7.5 Nov 24

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PH

CVE-2013-6129 HIGH POC
7.5 Oct 19

The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the

CVE-2013-3522 MEDIUM POC
6.5 May 10

SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier

CVE-2020-17496 CRITICAL POC
9.8 Aug 12

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe

CVE-2020-12720 CRITICAL POC
9.8 May 08

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. Rated critical

CVE-2019-16759 CRITICAL POC
9.8 Sep 24

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge

CVE-2017-17672 CRITICAL POC
9.8 Dec 14

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file delet

CVE-2016-6483 HIGH POC
8.6 Sep 02

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Le

CVE-2017-17671 CRITICAL POC
9.8 Dec 14

vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an una

Share

CVE-2014-5102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy