Security News > 2020 > August > vBulletin Patches Zero-Day Exploited in Attacks
vBulletin developers on Monday rushed to address a zero-day remote code execution vulnerability in the forum software, one day after the issue was publicly disclosed.
On Sunday, security researcher Amir Etemadieh published information on a new vulnerability in vBulletin, explaining how it can be abused to bypass the patch released in September 2019 for CVE-2019-16759, and also providing proof-of-concept code that demonstrates how easily the flaw can be exploited.
Etemadieh, who identified other severe vulnerabilities in vBulletin before, did not contact vBulletin prior to disclosing the new vulnerability, which does not have a CVE identifier yet.
On Monday, vBulletin announced that patches were available for the 5.6.0, 5.6.1, and 5.6.2 versions of vBulletin Connect.
"All older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible," vBulletin said.
News URL
Related news
- Google fixes two Android zero-days used in targeted attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- Japan warns of IO-Data zero-day router flaws exploited in attacks (source)
- Fully patched Cleo products under renewed 'zero-day-ish' mass attack (source)
- New Cleo zero-day RCE flaw exploited in data theft attacks (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |