PT-2013-5950 · Vbulletin Solutions · Vbulletin
Barry Shteiman
·
Published
2013-10-19
·
Updated
2013-11-21
·
CVE-2013-6129
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
vBulletin versions 4.1 and 5
Description
The issue allows remote attackers to create administrative accounts via the
customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters. This has been exploited in the wild.Recommendations
For vBulletin version 4.1, update to a version that fixes this issue.
For vBulletin version 5, update to a version that fixes this issue.
As a temporary workaround, consider restricting access to the install/upgrade.php script until a patch is available.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vbulletin