Vulnerability CVE-2019-17132


Published: 2019-10-04

Description:
vBulletin through 5.5.4 mishandles custom avatars.

See advisories in our WLB2 database:
Topic
Author
Date
High
vBulletin 5.5.4 Remote Code Execution
EgiX
08.10.2019
High
vBulletin 5.0 < 5.5.4 updateAvatar Authenticated Remote Code Execution
EgiX
13.10.2019

Type:

CWE-20

(Improper Input Validation)

Vendor: Vbulletin
Product: Vbulletin 
Version: 5.5.4;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2019/Oct/9
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2

Related CVE
CVE-2019-17271
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVE-2019-17131
vBulletin before 5.5.4 allows clickjacking.
CVE-2019-17130
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVE-2019-16759
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
CVE-2018-15493
vBulletin 5.4.3 has an Open Redirect.
CVE-2018-6200
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
CVE-2017-17672
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cach...
CVE-2017-17671
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is...

Copyright 2019, cxsecurity.com

 

Back to Top