CVE-2014-2022

Name of the Vulnerable Software and Affected Versions vBulletin versions 4.2.2, 4.2.1, 4.2.0 PL2, and earlier

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the conceptid argument in an xmlrpc API request to the "includes/api/4/breadcrumbs create.php" endpoint.

Recommendations For versions 4.2.2, 4.2.1, and 4.2.0 PL2, and all earlier versions, consider restricting access to the breadcrumbs create.php file until a fix is available. As a temporary workaround, avoid using the conceptid argument in xmlrpc API requests to minimize the risk of exploitation.