Allele Security Alert
ASA-2019-00544
Identifier(s)
ASA-2019-00544, CVE-2019-16759
Title
Remote Code Execution
Vendor(s)
vBulletin Solutions, Inc
Product(s)
vBulletin
Affected version(s)
vBulletin versions since 5.0.0 up to and including 5.5.4
Fixed version(s)
vBulletin version 5.5.4 Patch Level 1
Proof of concept
Yes
Description
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Technical details
Unknown
Credits
Unknown
Reference(s)
vBulletin 5.x 0day pre-auth RCE exploit
https://seclists.org/fulldisclosure/2019/Sep/31
vBulletin Security Patch Released. Versions 5.5.2, 5.5.3, and 5.5.4
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4
CVE-2019-16759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759
CVE-2019-16759
https://nvd.nist.gov/vuln/detail/CVE-2019-16759
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 18, 2019