CVE-2015-3419
medium
CVSS v3
6.5
CVSS v2
4.0
VIR risk
6.5
Description
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4319488-security-patch-released-for-vbulletin-5-1-4-5-1-6-and-vbulletin-cloud
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vbulletin | vbulletin | 5.0.0 | |
| vbulletin | vbulletin | 5.0.1 | |
| vbulletin | vbulletin | 5.0.2 | |
| vbulletin | vbulletin | 5.0.3 | |
| vbulletin | vbulletin | 5.0.4 | |
| vbulletin | vbulletin | 5.0.5 | |
| vbulletin | vbulletin | 5.1.0 | |
| vbulletin | vbulletin | 5.1.1 | |
| vbulletin | vbulletin | 5.1.2 | |
| vbulletin | vbulletin | 5.1.3 | |
| vbulletin | vbulletin | 5.1.4 | |
| vbulletin | vbulletin | 5.1.5 | |
| vbulletin | vbulletin | 5.1.6 | |
References
- http://www.openwall.com/lists/oss-security/2015/04/24/4
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4319488-security-patch-released-for-vbulletin-5-1-4-5-1-6-and-vbulletin-cloud
- http://www.openwall.com/lists/oss-security/2015/04/24/4
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4319488-security-patch-released-for-vbulletin-5-1-4-5-1-6-and-vbulletin-cloud
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.