cbcvebase.
CVE-2020-17496
published 2020-08-12

CVE-2020-17496: vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
87.74%
99.7th percentile
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

Affected

1 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin5.5.4 – 5.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/render/widget_tabbedcontainer_tab_panel
commandPOST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
othersubWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;
commandcurl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec("id"); exit;'
  • Detect HTTP POST requests to /ajax/render/widget_tabbedcontainer_tab_panel with body parameters containing 'subWidgets[0][template]=widget_php' — this is the core exploit delivery mechanism for CVE-2020-17496.
  • Look for the parameter combination 'subWidgets[0][template]=widget_php' alongside 'subWidgets[0][config][code]=' in POST body — this loads the widget_php template to bypass the CVE-2019-16759 patch and reach an eval call with user input.
  • Shodan/FOFA queries for exposed vBulletin instances: search for 'http.title:"powered by vbulletin"', 'http.html:"powered by vbulletin"', or 'http.component:"vbulletin"' to identify potentially vulnerable targets.
  • The vulnerability is pre-authentication (no credentials required); any unauthenticated POST to the widget_tabbedcontainer_tab_panel endpoint with widget_php template parameter should be treated as a high-confidence attack indicator.
  • ·The vulnerability only affects vBulletin versions 5.5.4 through 5.6.2; versions outside this range (including older 5.x branches) may still be vulnerable but are not confirmed by the patch scope.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.