CVE-2014-2022 : SQL injection vulnerability in includes/api/4/breadcrumbs

SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request.

Published 2014-10-15 14:55:06

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2014-2022

Vbulletin » Vbulletin
Versions up to, including, (<=) 4.2.2
cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
Matching versions
Vbulletin » Vbulletin » Version: 4.2.1
cpe:2.3:a:vbulletin:vbulletin:4.2.1:*:*:*:*:*:*:*
Matching versions
Vbulletin » Vbulletin » Version: 4.2.0 Update PL2
cpe:2.3:a:vbulletin:vbulletin:4.2.0:pl2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-2022

EPSS FAQ

1.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-2022

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.1	HIGH	AV:N/AC:H/Au:S/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-2022

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-2022

http://www.securitytracker.com/id/1031001

vBulletin Input Validation Flaw in XMLRPC API Lets Remote Users Inject SQL Commands - SecurityTracker
http://seclists.org/fulldisclosure/2014/Oct/56

Full Disclosure: CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)
Exploit
http://www.securityfocus.com/bid/70417

vBulletin 'breadcrumbs_create.php' SQL Injection Vulnerability
https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022

pub/pocs/cve-2014-2022 at master · tintinweb/pub · GitHub
Exploit
http://packetstormsecurity.com/files/128696/vBulletin-4.x-SQL-Injection.html

vBulletin 4.x SQL Injection ≈ Packet Storm
Exploit

Jump to

Vulnerability Details : CVE-2014-2022

Products affected by CVE-2014-2022

Exploit prediction scoring system (EPSS) score for CVE-2014-2022

CVSS scores for CVE-2014-2022

CWE ids for CVE-2014-2022

References for CVE-2014-2022