Unauthenticated Deserialization Vulnerability in vBulletin 5.3.x

Unauthenticated Deserialization Vulnerability in vBulletin 5.3.x

CVE-2017-17672 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.

Learn more about our Api Penetration Testing.