9.8

CVE-2017-17672

Exploit

EPSS 8.28%
Veröffentlicht 14.12.2017 00:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vbulletin ≫ Vbulletin Version >= 5.0.1 <= 5.3.3

Vbulletin ≫ Vbulletin Version5.0.0 Updatebeta_11

Vbulletin ≫ Vbulletin Version5.0.0 Updatebeta_28

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.28%	0.919

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://blogs.securiteam.com/index.php/archives/3573

Third Party Advisory

Exploit

https://www.exploit-db.com/exploits/43362/

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-17672

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-17672

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-17672

EUVD