CVE-2005-3024

Name of the Vulnerable Software and Affected Versions vBulletin versions 3.0.7 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different PHP files, including announcement in "announcement.php", thread[forumid] and criteria in "thread.php", userid in "user.php", and several others in "admincalendar.php", "cronlog.php", "email.php", "help.php", "usertitle.php", "language.php", "phrase.php", "template.php", and "usertools.php".

Recommendations For vBulletin versions 3.0.7 and earlier, consider disabling the SQL execution functionality until a patch is available. Restrict access to the vulnerable parameters, such as announcement, thread[forumid], criteria, userid, calendarcustomfieldid, calendarid, moderatorid, holidayid, calendarmoderatorid, calendar[0], cronid, user[usergroupid][0], help[0], limitnumber, limitstart, usertitleid, ids, rvt[0], keep[0], and dostyleid, to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.