Security News > 2020 > August > vBulletin Patches Zero-Day Exploited in Attacks
vBulletin developers on Monday rushed to address a zero-day remote code execution vulnerability in the forum software, one day after the issue was publicly disclosed.
On Sunday, security researcher Amir Etemadieh published information on a new vulnerability in vBulletin, explaining how it can be abused to bypass the patch released in September 2019 for CVE-2019-16759, and also providing proof-of-concept code that demonstrates how easily the flaw can be exploited.
Etemadieh, who identified other severe vulnerabilities in vBulletin before, did not contact vBulletin prior to disclosing the new vulnerability, which does not have a CVE identifier yet.
On Monday, vBulletin announced that patches were available for the 5.6.0, 5.6.1, and 5.6.2 versions of vBulletin Connect.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible," vBulletin said.
News URL
Related news
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Qualcomm patches high-severity zero-day exploited in attacks (source)
- Ivanti warns of three more CSA zero-days exploited in attacks (source)
- Mozilla fixes Firefox zero-day actively exploited in attacks (source)
- Firefox Zero-Day Under Attack: Update Your Browser Immediately (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |