ASA-2019-00544 – vBulletin: Remote Code Execution

Posted on September 24, 2019October 18, 2019 by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00544

Identifier(s)

ASA-2019-00544, CVE-2019-16759

Title

Remote Code Execution

Vendor(s)

vBulletin Solutions, Inc

Product(s)

vBulletin

Affected version(s)

vBulletin versions since 5.0.0 up to and including 5.5.4

Fixed version(s)

vBulletin version 5.5.4 Patch Level 1

Proof of concept

Yes

Description

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Technical details

Unknown

Credits

Unknown

Reference(s)

vBulletin 5.x 0day pre-auth RCE exploit
https://seclists.org/fulldisclosure/2019/Sep/31

vBulletin Security Patch Released. Versions 5.5.2, 5.5.3, and 5.5.4
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4

CVE-2019-16759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759

CVE-2019-16759
https://nvd.nist.gov/vuln/detail/CVE-2019-16759

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 18, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.