vBulletin is a popular PHP forum software used to build online communities. vBulletin versions before 5.5.6 Patch Level 1, version 5.6.0 before 5.6.0 Patch Level 1 and version 5.6.1 before 5.6.1 Patch Level 1 suffer from a SQL injection vulnerability through the βnodeIdβ parameter in the getIndexableContent ajax function. A remote, unauthenticated attacker can exploit this issue to takeover the forum administrator account and achieve remote code execution on the target host.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12720
forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-5-6-5-6-0-5-6-1-security-patch-level-1
packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html
www.vbulletin.com/docs/html/main/upgrade_patch_level