Description

The vBulletin team released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. 

A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.

Remediation

Install the patch provided by vBulletin team (consult web references for a dirrect link to this patch).

References

Security Exploit Patched in versions 3.5, 3.6, 3.7, 3.8, 4.X, 5.X of vBulletin

Security Exploit Patched on vBulletin - PHP Object Injection

PHP Object Injection

Related Vulnerabilities

WordPress Plugin WordPress Download Manager Remote Code Execution (2.7.4)

WordPress Plugin Coming Soon Possible Remote Code Execution (1.1.3)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)

Umbraco CMS TemplateService remote code execution

Drupal Core Remote Code Execution (8.0.0 - 9.2.21)

Severity

High

Classification

CWE-915 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution Insecure Deserialization