CVE-2014-2022

vBulletin <4.2.2 - SQL Injection

Title source: llm

Description

SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request.

Exploits (1)

exploitdb WORKING POC

by tintinweb · pythonwebappsphp

https://www.exploit-db.com/exploits/40115

View Code ZIP pw:eip

References (5)

[Exploit] http://packetstormsecurity.com/files/128696/vBulletin-4.x-SQL-Injection.html

[Exploit] http://seclists.org/fulldisclosure/2014/Oct/56

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031001

[Exploit] https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/70417

Scores

EPSS 0.0131

EPSS Percentile 79.6%

Classification

CWE

CWE-89

Status draft

Affected Products (3)

vbulletin/vbulletin < 4.2.2

vbulletin/vbulletin

Timeline

Published Oct 15, 2014

Tracked Since Feb 18, 2026