vBulletin released patches for an undisclosed security vulnerability, encouraging users to apply the patch as soon as possible. Update 05/12/20: Updated the Analysis and Proof of concept section to reflect the availability of PoCs from a vulnerability researcher.

CVE-2020-12720: vBulletin Urges Users to Patch Undisclosed Security Vulnerability

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

vBulletin is a popular PHP forum software used to build online communities. vBulletin versions before 5.5.6 Patch Level 1, version 5.6.0 before 5.6.0 Patch Level 1 and version 5.6.1 before 5.6.1 Patch Level 1 suffer from a SQL injection vulnerability through the 'nodeId' parameter in the getIndexableContent ajax function. A remote, unauthenticated attacker can exploit this issue to takeover the forum administrator account and achieve remote code execution on the target host.

The version of vBulletin running on the remote host is affected by an input-validation flaw in the content_infraction/getIndexableContent API that allows for SQL injection. This can be levereged by an attacker to obtain administrator privileges leading to remote code execution.

ID	Name	Product	Family	Severity
112440	vBulletin < 5.5.6 Patch Level 1 / 5.6.0 < 5.6.0 Patch Level 1 / 5.6.1 < 5.6.1 Patch Level 1 SQL Injection Vulnerability	Web App Scanning	Component Vulnerability	critical
136613	vBulletin 'getIndexableContent' SQL Injection (direct check)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2020-12720

critical

Tenable Plugins

critical

critical