CVE-2017-17672

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
References
Link Resource
https://blogs.securiteam.com/index.php/archives/3573 Exploit Third Party Advisory
https://www.exploit-db.com/exploits/43362/ Exploit Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
cpe:2.3:a:vbulletin:vbulletin:5.0.0:beta_28:*:*:*:*:*:*
cpe:2.3:a:vbulletin:vbulletin:5.0.0:beta_11:*:*:*:*:*:*

Information

Published : 2017-12-13 16:29

Updated : 2018-01-02 08:29


NVD link : CVE-2017-17672

Mitre link : CVE-2017-17672


JSON object : View

CWE
CWE-502

Deserialization of Untrusted Data

Advertisement

dedicated server usa

Products Affected

vbulletin

  • vbulletin