CVE-2014-9438

Name of the Vulnerable Software and Affected Versions vBulletin version 4.2.2

Description A cross-site request forgery (CSRF) issue exists in the Moderator Control Panel, allowing remote attackers to hijack administrator authentication for various actions, including banning or unbanning a user via the username parameter in a 'dobanuser' action to 'modcp/banning.php', modifying user profiles, editing or approving posts or topics.

Recommendations For vBulletin version 4.2.2, as a temporary workaround, consider restricting access to the Moderator Control Panel to minimize the risk of exploitation. Avoid using the username parameter in the 'modcp/banning.php' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.