CVE-2015-7808

Name of the Vulnerable Software and Affected Versions vBulletin 5 Connect versions 5.1.2 through 5.1.9

Description The issue allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to the "ajax/api/hook/decodeArguments" API endpoint.

Recommendations For versions 5.1.2 through 5.1.9, consider disabling the vB Api Hook::decodeArguments method until a patch is available. Restrict access to the "ajax/api/hook/decodeArguments" API endpoint to minimize the risk of exploitation. Avoid using the arguments parameter in the affected API endpoint until the issue is resolved.