Trending CVEs for the Week of September 30th, 2019

CVE-2019-16759 – vBulletin Remote Code Execution

Description

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Affected Versions

  • Any vBulletin server running versions 5.0.0 up to 5.5.4.

Patches

A security patch has been released on September 25th for vBulletin 5.5.2, vBulletin 5.5.3, and vBulletin 5.5.4.

References

vBulletin security patch information

Full Disclosure – Exploit Code