In vBulletin up to and including 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vbulletin vbulletin |
||
vbulletin vbulletin 5.0.0 |