Vulnerability Description
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vbulletin | Vbulletin | >= 5.0.1, <= 5.3.3 |
Related Weaknesses (CWE)
References
- https://blogs.securiteam.com/index.php/archives/3573ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/43362/ExploitThird Party AdvisoryVDB Entry
- https://blogs.securiteam.com/index.php/archives/3573ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/43362/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2017-17672?
CVE-2017-17672 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of...
How severe is CVE-2017-17672?
CVE-2017-17672 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-17672?
Check the references section above for vendor advisories and patch information. Affected products include: Vbulletin Vbulletin.