Attacker Value

High

CVE-2020-12720 vBulletin incorrect access control

Attacker Value

High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2020-12720 vBulletin incorrect access control

Disclosure Date: May 08, 2020 •

CVE-2020-12720 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by ccondon-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Execution

Techniques

Validation

Scheduled Task/Job: At (Linux)

Validated

Initial Access

Techniques

Validation

Valid Accounts

Validated

Valid Accounts: Default Accounts

Validated

Valid Accounts: Domain Accounts

Validated

Valid Accounts: Local Accounts

Validated

External Remote Services

Validated

Drive-by Compromise

Validated

Exploit Public-Facing Application

Validated

Supply Chain Compromise

Validated

Metasploit Module

vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection

Description

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Add Assessment

ccondon-r7 (232)

June 11, 2020 5:05pm UTC (3 years ago)•

Ratings

Attacker Value

High

Exploitability

High

Unauthenticated

Technical Analysis

Vuln affects versions 5.0.0 to 5.5.4 and is weaponized in the form of a Metasploit module: https://github.com/rapid7/metasploit-framework/pull/13512
Credit to Charles Fol for discovery and Zenofex for fast analysis and slick weaponization.

I keep thinking that it’s unlikely enterprises use vBulletin and this must be more of a risk to small- and medium-sized businesses, but looking at some of the companies that are said to be vBulletin customers, I suppose that’s not necessarily true. Article on in-the-wild exploitation here.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

vbulletin

Products

vbulletin,
vbulletin 5.5.6,
vbulletin 5.6.0,
vbulletin 5.6.1.-

Metasploit Modules

vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_getindexablecontent.rb)

vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.rb)

Exploited in the Wild

Reported by:

ccondon-r7

Reported: August 28, 2020 5:46pm UTC (3 years ago)

References

Canonical

CVE-2020-12720 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12720)

Miscellaneous

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1

http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html

http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html

Rapid7

High