返回 CVE 浏览器

CVE-2019-16759

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score68.2390%

EPSS Percentile92.29th

Published2019年9月24日

Last Modified2025年11月7日

Vulnerability Description

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Affected Platforms (CPE)

📦

Vbulletin

Vbulletin

>= 5.0.0 and <= 5.5.4

References & Advisories

🔗 http://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.html

🔗 http://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html

🔗 http://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html

🔗 http://seclists.org/fulldisclosure/2020/Aug/5

🔗 https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/

相关漏洞威胁

CVE-2012-432810.0

Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4...

CVE-2019-171329.8

vBulletin through 5.5.4 mishandles custom avatars.

CVE-2020-127209.8

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

CVE-2020-174969.8

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer...