CVE-2013-3522

Vbulletin - SQL Injection

Title source: rule

Description

SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/30212

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Orestis Kourides · perlwebappsphp

https://www.exploit-db.com/exploits/24882

View Code ZIP pw:eip

metasploit WORKING POC

by Orestis Kourides, sinn3r, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vbulletin_vote_sqli.rb

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Orestis Kourides, juan vazquez · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb

View Code ZIP pw:eip

References (2)

[Exploit] http://www.exploit-db.com/exploits/24882

[Third Party Advisory, VDB Entry] http://www.osvdb.org/92031

Scores

EPSS 0.5635

EPSS Percentile 98.1%

Details

CWE

CWE-89

Status published

Products (1)

vbulletin/vbulletin 5.0.0 beta_11 (2 CPE variants)

Published May 10, 2013

Tracked Since Feb 18, 2026