Two 0-day gaps in the vBulletin 5 forum script: the update is not yet available
Experts from SecuriTeam Secure Disclosure (SSD) detected two vulnerabilities in the popular vBulletin 5 forum script. The first vulnerability allows the attacker to send any file to the server and execute PHP code remotely, however in this case, no identifier (CVE) has yet been assigned.
Researchers describe the problem in this way:
An unauthenticated attacker can trigger the attacker by sending a request to the server. web server. "
The second vulnerability (CVE-2017-17672) concerns deleting files from the server and remote malicious code execution is also possible under certain conditions.
Technical details are available on the SSD blog .
Researchers have tried to contact the developers of "vB" several times. From November 21, they did not receive any response, so they published proofs of the concept.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.