CVE-2020-7373
vBulletin 5.x Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.
vBulletin versiones 5.5.4 hasta 5.6.2, permite una ejecución de comandos remota por medio de datos subWidgets diseñados en una petición de ajax/render/widget_tabbedcontainer_tab_panel. NOTA: este problema se presenta debido a una corrección incompleta para el CVE-2019-16759. TAMBIÉN TOME EN CUENTA: el CVE-2020-7373 es un duplicado de CVE-2020-17496. El CVE-2020-17496 es el ID de CVE preferido para rastrear esta vulnerabilidad
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-21 CVE Reserved
- 2020-08-13 CVE Published
- 2024-06-29 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail | 2024-08-04 | |
| https://seclists.org/fulldisclosure/2020/Aug/5 | 2024-08-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vbulletin Search vendor "Vbulletin" | Vbulletin Search vendor "Vbulletin" for product "Vbulletin" | >= 5.5.4 <= 5.6.2 Search vendor "Vbulletin" for product "Vbulletin" and version " >= 5.5.4 <= 5.6.2" | - |
Affected
| ||||||