Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

vBulletin 5 Connect 5.1.2 through 5.1.9 PHP object injection attack

Disclosure Date: November 24, 2015 Last updated February 13, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

Add Assessment

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

As the world’s most popular forum software, this is a big target, and that this vulnerability was an 0-day when it was first found is also extremely useful as an attacker. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It works with the default installation, meaning every vBulletin site was vulnerable at one point.

General Information

Technical Analysis