CVE-2017-17672
First published: Thu Dec 14 2017(Updated: )
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| vBulletin vBulletin | >=5.0.1<=5.3.3 | |
| vBulletin vBulletin | =5.0.0-beta_11 | |
| vBulletin vBulletin | =5.0.0-beta_28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2017-17672?
CVE-2017-17672 is an unauthenticated deserialization vulnerability in vBulletin 5.0.1 through 5.3.x that can lead to arbitrary file deletion and, in some cases, code execution.
How severe is CVE-2017-17672?
CVE-2017-17672 is considered critical with a severity score of 9.8 out of 10.
Which versions of vBulletin are affected by CVE-2017-17672?
vBulletin versions 5.0.1 through 5.3.x are affected by CVE-2017-17672.
What is the vulnerability type of CVE-2017-17672?
CVE-2017-17672 is a deserialization vulnerability.
How can CVE-2017-17672 be exploited?
CVE-2017-17672 can be exploited by exploiting the unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, leading to arbitrary file deletion and potential code execution.
- collector/nvd-index
- vendor/vbulletin
- canonical/vbulletin vbulletin
- version/vbulletin vbulletin/5.0.1
- version/vbulletin vbulletin/5.3.3
- version/vbulletin vbulletin/5.0.0-beta_11
- version/vbulletin vbulletin/5.0.0-beta_28