vBulletin Releases a New Patch Update for Three Vulnerabilities

No featured articles available

Check back soon for the latest updates and featured content.

As soon as releasing a patch for zero-day remote code execution vulnerability late last month, vBulletin has recently published a new patch update for three vulnerabilities

As soon as releasing a patch for zero-day remote code execution vulnerability late last month, vBulletin has recently published a new patch update for three vulnerabilities.

vBulletin published a new security patch update that addresses 3 more high-severity flaws in vBulletin 5.5.4 and prior versions.

vBulletin

vBulletin is a proprietary Internet software package. It is written in PHP and uses a MySQL database server. vBulletin powers over 100,000 websites on the internet.

The three vulnerabilities

Remote code execution flaw CVE-2019-17132 is the first vulnerability discovered by security researcher Egidio Romano.

The RCE flaw resides in the way vBulletin forum handles user requests to update avatars for their profiles, an icon or graphics representation of the user, allowing a remote attacker to inject and execute arbitrary PHP code on the target server through unsanitized parameters.

The vulnerability cannot be triggered in the default installation of the vBulletin forum, but exploitation is possible when “Save Avatars as Files” option is enabled by the website administrator.

The remaining critical vulnerabilities tracked as CVE-2019-17271 are read in-band and time-based SQL injection issues that are present in the two endpoints and cloud allow administrators with restricted privileges to read sensitive data from the database, which cannot be accessed otherwise.

vBulletin forum administrators need not panic as these two SQL injection flaws cannot be exploited by any registered user and require special permissions.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

If left unpatched, the vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

Apply security patches

The administrators are highly recommended to apply the security patch before the hackers start exploiting the vulnerabilities to target their forum users.

Google Ads Exploited in Cyberattack: Hackers Steal Login Details and 2FA Codes

Murdoc Botnet Exploits AVTECH Cameras and Huawei Routers

Authquake Attack Bypasses Microsoft MFA, Exposing Critical Security Vulnerabilities

Strategies for Mitigating Cyber Threats in 2025

Cybersecurity Threats in Social Media Networks: Protecting User Data

AI in Data Privacy Compliance

Secure Boot Bypass Flaw Found in Palo Alto Firewalls

Volkswagen Faces Major Breach: Data of 800K EV Customers Leaked

Successful CISO – Is a Business Enabler the Need of the Hour?

Behind the Job Title: Information Security Consultant

Cybersecurity Threats in Social Media Networks: Protecting User Data

AI in Data Privacy Compliance

No featured articles available

vBulletin Releases a New Patch Update for Three Vulnerabilities

As soon as releasing a patch for zero-day remote code execution vulnerability late last month, vBulletin has recently published a new patch update for three vulnerabilities

Share Your Story!

No featured articles available

As soon as releasing a patch for zero-day remote code execution vulnerability late last month, vBulletin has recently published a new patch update for three vulnerabilities

Stay Updated with the Latest Cybersecurity News