CVE-2017-17672

CRITICAL

Vbulletin < 5.3.3 - Insecure Deserialization

Title source: rule

Description

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.

Exploits (1)

exploitdb WORKING POC

by SecuriTeam · webappsmultiple

https://www.exploit-db.com/exploits/43362

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://blogs.securiteam.com/index.php/archives/3573

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43362/

Scores

CVSS v3 9.8

EPSS 0.0828

EPSS Percentile 92.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (3)

vbulletin/vbulletin < 5.3.3

vbulletin/vbulletin

vbulletin/vbulletin

Timeline

Published Dec 14, 2017

Tracked Since Feb 18, 2026