cbcvebase.
CVE-2019-17132
published 2019-10-04

CVE-2019-17132: vBulletin through 5.5.4 mishandles custom avatars.

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.78%
95.6th percentile
vBulletin through 5.5.4 mishandles custom avatars.

Affected

1 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin<= 5.5.4

Detection & IOCsextracted from sources · hover to see the quote

url?routestring=auth/login
url?routestring=profile/upload-profilepicture
urlroutestring=ajax/api/user/updateAvatar
pathcore/<avatarpath>/<id+1>.php
filenameavatar.php
otherdata[extension]=php
otherCMD: <base64-encoded command>
cookiesessionhash
  • Alert on POST parameters containing data[extension]=php submitted to the updateAvatar API route, indicating an attempt to change an uploaded avatar's file extension to PHP for webshell placement.
  • Monitor for PHP files appearing under the vBulletin 'core/' avatar storage directory (e.g., core/customavatars/*.php), which should only contain image files.
  • Detect HTTP requests containing a 'CMD:' header with a base64-encoded value — this is the webshell command-execution mechanism used post-exploitation.
  • Look for the webshell output delimiter '____' in HTTP responses from the vBulletin core directory, indicating active webshell interaction.
  • ·The exploit only succeeds if the vBulletin 'Save Avatars as Files' option is enabled; if avatars are stored in the database (served via image.php), the PHP file cannot be written to disk and the exploit fails.
  • ·The attacker must have valid credentials to an existing vBulletin account; the exploit authenticates via the login endpoint before performing the avatar manipulation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.