cbcvebase.
CVE-2020-7373
published 2020-10-30

CVE-2020-7373: vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
46.03%
98.7th percentile
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin5.5.4 – 5.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/render/widget_tabbedcontainer_tab_panel
url/ajax/render/widget_php
commandPOST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1 Content-Type: application/x-www-form-urlencoded subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
  • Detect exploitation attempts by monitoring HTTP POST requests to the path /ajax/render/widget_tabbedcontainer_tab_panel with body parameters containing 'subWidgets[0][template]=widget_php' and 'subWidgets[0][config][code]', indicating RCE payload delivery.
  • Also monitor POST requests to /ajax/render/widget_php with the 'widgetConfig' parameter (related predecessor CVE-2019-16759 vector, same attack surface family).
  • Shodan/FOFA fingerprinting: identify exposed vBulletin instances via 'http.component:"vBulletin"', 'http.html:"powered by vbulletin"', or title/body containing 'powered by vbulletin'.
  • Successful exploitation probe response will contain the MD5 hash 'addcc9f9f2f40e2e6aca3079b73d9d17' (md5 of 'CVE-2019-16759') in the HTTP 200 response body — use this as a canary string in IDS/WAF rules.
  • ·CVE-2020-7373 is a duplicate of CVE-2020-17496; CVE-2020-17496 is the preferred CVE ID to track this vulnerability. Detection rules should be tagged/aliased accordingly.
  • ·This vulnerability exists because of an incomplete fix for CVE-2019-16759; detections covering CVE-2019-16759 (/ajax/render/widget_php) may not catch the updated attack vector (/ajax/render/widget_tabbedcontainer_tab_panel) used in CVE-2020-7373/CVE-2020-17496.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.