CVE-2014-2023
published 2017-10-26CVE-2014-2023: Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.15%
89.6th percentile
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 6.2.0 < 6.2.11 | 6.2.11 |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
| tapatalk | tapatalk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-1 union %s and ( select sleep(%s) ) union select subscribeforumid from subscribeforum where 1=1 OR 1=1↗
command-1 union %s and ( select sleep(%s) ) union select subscribethreadid from subscribethread where 1=1 OR 1=1↗
- →Exploit targets the XML-RPC endpoint at mobiquo.php; monitor for XML-RPC POST requests to paths containing 'mobiquo' with method calls to 'unsubscribe_forum' or 'unsubscribe_topic' carrying parameters prefixed with 's_' followed by SQL injection payloads. ↗
- →Blind time-based SQL injection is performed using 'select sleep(N)' inside UNION payloads; detect anomalous response latency on XML-RPC calls to the Tapatalk endpoint combined with SQL keywords (UNION, SELECT, sleep) in request bodies. ↗
- →The exploit uses a mobile iPhone User-Agent string to blend in; correlate this UA with XML-RPC requests to mobiquo.php as a detection pivot. ↗
- →The exploit probes for the string 'tapatalkDetect()' in page responses to fingerprint vulnerable installations before launching the SQL injection attack. ↗
- →Attacker attempts to exfiltrate MySQL root password hash and the Tapatalk 'apikey' setting via blind SQLi; monitor database logs for queries against mysql.user and the 'setting' table with varname='apikey'. ↗
- ·Affected versions are Tapatalk plugin 4.9.0 and earlier, and 5.x through 5.2.1 for vBulletin; the exploit PoC is specifically written for the vBulletin 4.x variant. ↗
- ·The SQL injection is unauthenticated (no session required); the vulnerable parameters are passed directly into XML-RPC method arguments with no escaping, as noted by the exploit comment 'no escape, invalid_char="_"'. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.3MEDIUM
vendor_redhat8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
iommufd: Check for uptr overflow
osv·2025-12-30
CVE-2023-54239 iommufd: Check for uptr overflow
iommufd: Check for uptr overflow
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Check for uptr overflow
syzkaller found that setting up a map with a user VA that wraps past zero
can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0
due to invalid arguments.
Prevent creating a pages with a uptr and size that would math overflow.
WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390
Modules linked in:
CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:pfn_reader_user_pin+0x2e6/0x390
Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 8
OSV
open-vm-tools vulnerabilities
osv·2025-08-24·CVSS 6.3
CVE-2023-34059 open-vm-tools vulnerabilities
open-vm-tools vulnerabilities
Matthias Gerstner discovered that Open VM Tools incorrectly handled file
descriptors when dropping privileges. A local attacker could possibly use
this issue to hijack /dev/uinput and simulate user inputs. (CVE-2023-34059)
Dolev Farhi discovered that Open VM Tools incorrectly handled certain file
permissions. A local attacker could possibly use this issue to setup a
symlink
attack and override files without authorization. (CVE-2014-4199)
GHSA
GHSA-pvxc-738f-66pm: Multiple SQL injection vulnerabilities in the Tapatalk plugin 4
ghsa_unreviewed·2022-05-17
CVE-2014-2023 [CRITICAL] CWE-89 GHSA-pvxc-738f-66pm: Multiple SQL injection vulnerabilities in the Tapatalk plugin 4
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
Suricata
ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy
suricata·2014-09-27·CVSS 9.8
CVE-2014-6271 [CRITICAL] ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy
ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy
Rule: alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; reference:cve,2014-6271; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_24;)
Bugzilla
CVE-2023-54236 kernel: net/net_failover: fix txq exceeding warning
bugzilla·2025-12-30
CVE-2023-54236 [MEDIUM] CVE-2023-54236 kernel: net/net_failover: fix txq exceeding warning
CVE-2023-54236 kernel: net/net_failover: fix txq exceeding warning
In the Linux kernel, the following vulnerability has been resolved:
net/net_failover: fix txq exceeding warning
The failover txq is inited as 16 queues.
when a packet is transmitted from the failover device firstly,
the failover device will select the queue which is returned from
the primary device if the primary device is UP and running.
If the primary device txq is bigger than the default 16,
it can lead to the following warning:
eth0 selects TX queue 18, but real number of TX queues is 16
The warning backtrace is:
[ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1
[ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014
[ 32.147730] Call Trace:
[ 32.147971]
[ 32.14
Bugzilla
CVE-2023-53629 kernel: fs: dlm: fix use after free in midcomms commit
bugzilla·2025-10-07·CVSS 7.8
CVE-2023-53629 [HIGH] CVE-2023-53629 kernel: fs: dlm: fix use after free in midcomms commit
CVE-2023-53629 kernel: fs: dlm: fix use after free in midcomms commit
In the Linux kernel, the following vulnerability has been resolved:
fs: dlm: fix use after free in midcomms commit
While working on processing dlm message in softirq context I experienced
the following KASAN use-after-free warning:
[ 151.760477] ==================================================================
[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0
[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347
[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828
[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014
[ 151.768726] Call Trace:
[ 151.769277]
[ 151.769748] dump_stack
http://packetstormsecurity.com/files/128854/vBulletin-4.x-Tapatalk-Blind-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/57http://www.exploit-db.com/exploits/35102http://www.securityfocus.com/bid/70418https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023http://packetstormsecurity.com/files/128854/vBulletin-4.x-Tapatalk-Blind-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Oct/57http://www.exploit-db.com/exploits/35102http://www.securityfocus.com/bid/70418https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2023
2017-10-26
Published