CISA KEV 정보
| 취약점명 | vBulletin PHP Module Remote Code Execution Vulnerability |
|---|---|
| 설명 | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-74 |
| 등록일 (KEV) | 2021-11-03 |
| 조치 기한 | 2022-05-03 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2020-17496 |
NVD 상세 정보
CVSS v3.1: 9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS v2.0: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P설명: vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
CWE: CWE-74 | CWE-74
참조
- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ [Exploit, Third Party Advisory]
- https://cwe.mitre.org/data/definitions/78.html [Technical Description]
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch [Patch, Vendor Advisory]
- https://seclists.org/fulldisclosure/2020/Aug/5 [Exploit, Mailing List, Third Party Advisory]
- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ [Exploit, Third Party Advisory]
- https://cwe.mitre.org/data/definitions/78.html [Technical Description]
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch [Patch, Vendor Advisory]
- https://seclists.org/fulldisclosure/2020/Aug/5 [Exploit, Mailing List, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17496 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.