CVE-2007-2911

Name of the Vulnerable Software and Affected Versions vBulletin versions prior to 3.6.6

Description The issue allows remote authenticated administrators to execute arbitrary SQL commands. This is achieved via the search field, specifically the datelineafter variable in the GPC array, within the admincp/attachment.php file.

Recommendations For versions prior to 3.6.6, update to version 3.6.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the admincp/attachment.php file to minimize the risk of exploitation. Avoid using the datelineafter variable in the affected API endpoint until the issue is resolved.