Description
SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request.
Exploits (1)
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031001
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70417
Exploit x_refsource_misc
http://packetstormsecurity.com/files/128696/vBulletin-4.x-SQL-Injection.html
Exploit x_refsource_misc
https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Oct/56
Scores
EPSS
0.0109
EPSS Percentile
78.0%
Details
CWE
CWE-89
Status
published
Products (3)
vbulletin/vbulletin
4.2.0 pl2
vbulletin/vbulletin
4.2.1
vbulletin/vbulletin
< 4.2.2
Published
Oct 15, 2014
Tracked Since
Feb 18, 2026