CyberSec.Space Logo
Back to CVE Browser

CVE-2020-17496

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score43.8270%
EPSS Percentile93.33th
PublishedAug 12, 2020
Last ModifiedNov 7, 2025

Vulnerability Description

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

Affected Platforms (CPE)

πŸ“¦
Vbulletin

Vbulletin

>= 5.5.4 and <= 5.6.2

References & Advisories

πŸ”— https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
πŸ”— https://cwe.mitre.org/data/definitions/78.html
πŸ”— https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
πŸ”— https://seclists.org/fulldisclosure/2020/Aug/5
πŸ”— https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
πŸ”— https://cwe.mitre.org/data/definitions/78.html
πŸ”— https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
πŸ”— https://seclists.org/fulldisclosure/2020/Aug/5

Related Vulnerabilities

CVE-2012-432810.0

Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4...

CVE-2020-127209.8

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

CVE-2019-171329.8

vBulletin through 5.5.4 mishandles custom avatars.

CVE-2019-167599.8

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php rout...