QwikSec

Security Database

CVE

CWE

Training

CVE-2015-7808

Published: Nov 24, 2015

Modified: Aug 6, 2024

PUBLISHED

Description

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

exploit

x_refsource_EXPLOIT-DB

http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq

x_refsource_MISC

http://packetstormsecurity.com/files/134331/vBulletin-5.1.2-Unserialize-Code-Execution.html

x_refsource_MISC

https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html

x_refsource_MISC

http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/

x_refsource_MISC

http://www.rapid7.com/db/modules/exploit/multi/http/vbulletin_unserialize

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.