A proof-of-concept (PoC) exploit for the zero-day was published on the Full Disclosure mailing list by an individual who wanted to remain anonymous. It’s unclear why they have decided to release the information before vBulletin developers could create a patch.
The vulnerability, to which MITRE assigned the CVE identifier CVE-2019-16759, is said to affect vBulletin 5.x through 5.5.4 (the latest version), and it allows an unauthenticated attacker to execute arbitrary commands by sending a specially crafted HTTP POST request to the targeted vBulletin website.
Comments are closed.
