Vulnerability Details : CVE-2014-2023
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
Vulnerability category: Sql Injection
Products affected by CVE-2014-2023
- cpe:2.3:a:tapatalk:tapatalk:5.1.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.1.3:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.2.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.2.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.9.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.9.3:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.0.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.1.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.2.3:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.2.6:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:2.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.0.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.0.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.9.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.8.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.3.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.5.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.5.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.6.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.9.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.9.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.1.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.1.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.0.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.1.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.7.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.7.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.5.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.2.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.1.4:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.2.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.1.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.2.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.0.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.1.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:5.0.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.7.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.8.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.2.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.3.0:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.1.3:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:3.1.5:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.1.2:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:1.2.1:*:*:*:*:vbulletin:*:*
- cpe:2.3:a:tapatalk:tapatalk:4.4.0:*:*:*:*:vbulletin:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2023
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2023
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2014-2023
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2023
-
https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023
pub/pocs/cve-2014-2023 at master · tintinweb/pub · GitHubThird Party Advisory
-
http://www.exploit-db.com/exploits/35102
Tapatalk for vBulletin 4.x - Blind SQL Injection - PHP webapps ExploitThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2014/Oct/57
Full Disclosure: CVE-2014-2023 - Tapatalk for vBulletin 4.x - multiple blind sql injection (pre-auth)Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/128854/vBulletin-4.x-Tapatalk-Blind-SQL-Injection.html
vBulletin 4.x Tapatalk Blind SQL Injection ≈ Packet StormThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/70418
Tapatalk for vBulletin CVE-2014-2023 Multiple SQL Injection VulnerabilitiesThird Party Advisory;VDB Entry
Jump to