Skip to main content

Vbulletin CVE-2019-17271

MEDIUM
SQL Injection (CWE-89)
2019-10-08 cve@mitre.org
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 08, 2019 - 13:15 nvd
MEDIUM 4.9

DescriptionNVD

vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.

AnalysisAI

vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. Affected products include: Vbulletin.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-48827 CRITICAL POC
10.0 May 27

vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted t

CVE-2016-6195 CRITICAL POC
9.8 Aug 30

SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 bef

CVE-2025-48828 CRITICAL POC
9.0 May 27

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protec

CVE-2015-7808 HIGH POC
7.5 Nov 24

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PH

CVE-2013-6129 HIGH POC
7.5 Oct 19

The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the

CVE-2013-3522 MEDIUM POC
6.5 May 10

SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier

CVE-2020-17496 CRITICAL POC
9.8 Aug 12

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbe

CVE-2020-12720 CRITICAL POC
9.8 May 08

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. Rated critical

CVE-2019-16759 CRITICAL POC
9.8 Sep 24

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge

CVE-2017-17672 CRITICAL POC
9.8 Dec 14

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file delet

CVE-2016-6483 HIGH POC
8.6 Sep 02

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Le

CVE-2017-17671 CRITICAL POC
9.8 Dec 14

vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an una

Share

CVE-2019-17271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy