vBulletin widgetConfig remote code execution vulnerability

Image
Decorative image
Published : 02/10/2019

Reference:
Advisory #2019-022

Version:
1.0

Affected software:
vBulletin 5.x through 5.5.4

Type:
unauthenticated remote code execution

CVE/CVSS:
CVE-2019-16759

Sources

https://seclists.org/fulldisclosure/2019/Sep/31

https://nvd.nist.gov/vuln/detail/CVE-2019-16759

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4

Risks

unauthenticated, arbitrary remote code execution

Description

vBulletin is the most popular web discussion forum platform by market share. 24 November an anonymous security researcher published proof-of-concept code highlighting this unauthenticated remote code execution vulnerability in vBulletin 5.x. Unauthenticated remote code execution is about as bad as software vulnerabilities get.

Note that vBulletin may be incorporated into your website as a component without you being aware of it. If your website has some kind of user discussion functionality, contact your system administrator and ask them to verify whether this is powered by vBulletin.
 

Recommended Actions

CERT.be recommends system administrators to verify if vBulletin is a dependency within their environment and to patch immediately following the vendor's instructions.