vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
Max CVSS
9.8
EPSS Score
71.56%
Published
2023-02-03
Updated
2023-02-13
CVE-2020-17496
Known exploited
Public exploit
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Max CVSS
9.8
EPSS Score
97.49%
Published
2020-08-12
Updated
2022-10-26
CISA KEV Added
2021-11-03
CVE-2020-12720
Public exploit
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
Max CVSS
9.8
EPSS Score
88.62%
Published
2020-05-08
Updated
2022-04-27
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.
Max CVSS
9.8
EPSS Score
83.10%
Published
2020-10-30
Updated
2021-07-21
vBulletin through 5.5.4 mishandles custom avatars.
Max CVSS
9.8
EPSS Score
12.95%
Published
2019-10-04
Updated
2021-07-21
CVE-2019-16759
Known exploited
Public exploit
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Max CVSS
9.8
EPSS Score
97.51%
Published
2019-09-24
Updated
2021-07-21
CISA KEV Added
2021-11-03
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
Max CVSS
9.8
EPSS Score
0.89%
Published
2017-12-14
Updated
2018-01-02
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file.
Max CVSS
9.8
EPSS Score
0.65%
Published
2017-12-14
Updated
2020-08-14
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.
Max CVSS
9.8
EPSS Score
0.28%
Published
2016-08-30
Updated
2017-08-21
9 vulnerabilities found