CVE-2020-7373
published 2020-10-30CVE-2020-7373: vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
46.03%
98.7th percentile
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | 5.5.4 – 5.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
Content-Type: application/x-www-form-urlencoded
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B↗
- →Detect exploitation attempts by monitoring HTTP POST requests to the path /ajax/render/widget_tabbedcontainer_tab_panel with body parameters containing 'subWidgets[0][template]=widget_php' and 'subWidgets[0][config][code]', indicating RCE payload delivery. ↗
- →Also monitor POST requests to /ajax/render/widget_php with the 'widgetConfig' parameter (related predecessor CVE-2019-16759 vector, same attack surface family). ↗
- →Shodan/FOFA fingerprinting: identify exposed vBulletin instances via 'http.component:"vBulletin"', 'http.html:"powered by vbulletin"', or title/body containing 'powered by vbulletin'. ↗
- →Successful exploitation probe response will contain the MD5 hash 'addcc9f9f2f40e2e6aca3079b73d9d17' (md5 of 'CVE-2019-16759') in the HTTP 200 response body — use this as a canary string in IDS/WAF rules. ↗
- ·CVE-2020-7373 is a duplicate of CVE-2020-17496; CVE-2020-17496 is the preferred CVE ID to track this vulnerability. Detection rules should be tagged/aliased accordingly. ↗
- ·This vulnerability exists because of an incomplete fix for CVE-2019-16759; detections covering CVE-2019-16759 (/ajax/render/widget_php) may not catch the updated attack vector (/ajax/render/widget_tabbedcontainer_tab_panel) used in CVE-2020-7373/CVE-2020-17496. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
vBulletin 5.0.0-5.5.4 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2019-16759 [CRITICAL] vBulletin 5.0.0-5.5.4 - Remote Command Execution
vBulletin 5.0.0-5.5.4 - Remote Command Execution
vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2019-16759
info:
name: vBulletin 5.0.0-5.5.4 - Remote Command Execution
author: madrobot
severity: critical
description: vBulletin 5.0.0 through 5.5.4 is susceptible to a remote command execution vulnerability via the widgetConfig parameter in an ajax/render/widget_php routestring request. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control
No writeups or analysis indexed.
https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patchhttps://github.com/rapid7/metasploit-framework/pull/13970https://seclists.org/fulldisclosure/2020/Aug/5https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patchhttps://github.com/rapid7/metasploit-framework/pull/13970https://seclists.org/fulldisclosure/2020/Aug/5
2020-10-30
Published
Exploited in the wild