IQID:25207 vBulletin 5.5.2 PHP Object Injection S

IQID:25207 vBulletin 5.5.2 PHP Object Injection S

IQID: 25207 - December 2022

vBulletin versions 5.5.2 and below suffers from an issue where user input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.

A Full Description is available for this threat, please sign in for access to Full Description.

Attack Data

Attack Data is available for this threat, please sign in for access to Attack Data.

CVSS Information

CVSS Information is available for this threat, please sign in for access to CVSS Information.

Date

Date Information is available for this threat, please sign in for access to Date Information.

Security Rule

A security rule is available to identify this threat, please sign in for access to security rules.

Permalink

Link directly to this page.

http://www.idappcom.com/db/?25207

© 2024 by IDappcom. Privacy policy. IDappcom Ltd, 6 Rural Enterprise Centre, Ludlow, Shropshire, SY8 1FF.