cbcvebase.
CVE-2017-17672
published 2017-12-14

CVE-2017-17672: In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.91%
96.3th percentile
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.

Affected

2 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin
vbulletinvbulletin5.0.1 – 5.3.3

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/api/template/cacheTemplates
commandtemplates[]=1&templateidlist=O:20:"vB_Image_ImageMagick":1:{s:20:"%00*%00imagefilelocation";s:13:"/path/to/file";}
pathcore/vb/api/template.php
  • Detect PHP deserialization gadget abuse via the 'templateidlist' POST parameter containing a serialized vB_Image_ImageMagick object (e.g., O:20:"vB_Image_ImageMagick") targeting the imagefilelocation property to trigger arbitrary file deletion.
  • A server error response containing 'Cannot use object of type vB_Image_ImageMagick as array' in the JSON body indicates a successful deserialization attempt (file deletion may have already occurred before the error is returned).
  • ·The deserialization is only triggered when 'templateidlist' is NOT already an array — if the input is already an array, unserialize() is skipped. Payloads must be sent as a serialized string, not as array-typed POST parameters.
  • ·Code execution via this deserialization is conditional ('under certain circumstances') — arbitrary file deletion is the primary confirmed impact. The specific gadget chain required for RCE depends on available classes in the vBulletin installation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.