Remote Command Execution Vulnerability in vBulletin by vBulletin Solutions, Inc.
CVE-2020-7373

9.8CRITICAL

Key Information:

Vendor: Vbulletin
Status: Vbulletin
Vendor: CVE Published:; 30 October 2020

What is CVE-2020-7373?

A vulnerability in vBulletin versions 5.5.4 through 5.6.2 allows attackers to execute arbitrary commands remotely by exploiting crafted subWidgets data sent through an ajax/render/widget_tabbedcontainer_tab_panel request. This issue is rooted in an incomplete fix for a previous vulnerability (CVE-2019-16759) and serves as a duplicate case related to CVE-2020-17496, indicating ongoing challenges in securing the application despite attempts at patching.

References

https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tal...

x_refsource_MISC

https://forum.vbulletin.com/forum/vbulletin-announcements...

x_refsource_MISC

https://seclists.org/fulldisclosure/2020/Aug/5

x_refsource_MISC

EPSS Score

89% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2020
Vulnerability Reserved
Jan 21, 2020

Vbulletin

What is CVE-2020-7373?

References

EPSS Score

CVSS V3.1

Timeline