A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. This previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).
But a researcher has said that CVE-2019-16759 is inadequate in blocking exploitation and that he had found a simple way to bypass the patch to continue exploiting the same vulnerability, proven by him publishing three proofs-of-concept in Bash, Python, and Ruby.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
