9.8

CVE-2019-16759

Warnung
Medienbericht
Exploit
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VbulletinVbulletin Version >= 5.0.0 <= 5.5.4

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

vBulletin PHP Module Remote Code Execution Vulnerability

Schwachstelle

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 94.43% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://seclists.org/fulldisclosure/2020/Aug/5
Third Party Advisory
Exploit
Mailing List
https://seclists.org/fulldisclosure/2019/Sep/31
Third Party Advisory
Exploit
Mailing List
https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/
Third Party Advisory
Press/Media Coverage