vBulletin 5.5.2 PHP Object Injection
vBulletin versions 5.5.2 and below suffers from an issue where user input passed through the messageids request parameter to
/ajax/api/vb4_private/movepm is not properly sanitized before being used
in a call to the unserialize() PHP function. This can be exploited by
malicious users to inject arbitrary PHP objects into the application
scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.
https://packetstormsecurity.com/files/170040/vbulletin552-exec.txt
Mon, 28 Nov 2022 15:49:13 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com