Attacker Value
High
1

CVE-2020-12720 vBulletin incorrect access control

Disclosure Date: May 08, 2020

Exploitability

(1 user assessed) High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

General Information

Technical Analysis