CVE-2020-12720
CRITICAL EXPLOITED IN THE WILD NUCLEIvBulletin <5.5.6pl1, <5.6.0pl1, <5.6.1pl1 - Privilege Escalation
Title source: llmDescription
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
Exploits (2)
metasploit
WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.rb
metasploit
WORKING POC
MANUAL
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_getindexablecontent.rb
Nuclei Templates (1)
vBulletin SQL Injection
CRITICALby pdteam
Shodan:
http.title:"powered by vbulletin" || http.html:"powered by vbulletin" || http.component:"vbulletin" || cpe:"cpe:2.3:a:vbulletin:vbulletin"
FOFA:
body="powered by vbulletin" || title="powered by vbulletin"
References (4)
Scores
CVSS v3
9.8
EPSS
0.9382
EPSS Percentile
99.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2021-04-12
InTheWild.io
2021-04-12
CWE
CWE-306
CWE-89
Status
published
Products (4)
vbulletin/vbulletin
5.5.6
vbulletin/vbulletin
5.6.0
vbulletin/vbulletin
5.6.1.-
vbulletin/vbulletin
5.0.0 - 5.5.6
Published
May 08, 2020
Tracked Since
Feb 18, 2026