vBulletin 5.X critical security issue, fix available

[Yurgon]

I'm not sure which version of vBulletin is in use here, but this probably applies:

 

vBulletin Security Patch Released. Versions 5.5.2, 5.5.3, and 5.5.4

 

US NIST assigned it a Base Score of 9.8 (CRITICAL): CVE-2019-16759 Detail

[BIGNEWY]

Thanks Yurgon, I will pass it on.

[Yurgon]

Thanks Bignewy.

 

Just an FYI, I saw a bunch of failed HTTP requests scroll by the error log in a site of mine that doesn't even have a vBulletin board:

 

/vb/js/ajax.js

/vbforum/js/ajax.js

/forum/js/ajax.js

/js/ajax.js

/forums/js/ajax.js

/vBulletin/js/ajax.js

/vb5/js/ajax.js

 

Might be unrelated, but my guess is this is an active attempt to find vulnerable vBulletin installations that have not been patched yet, and it's probably happening all over the web.

[BIGNEWY]

Thanks for the heads up, the team have insured we will not be affected

[Yurgon]

vBulletin 5.X critical security issue, Patch Level 2

 

The previous thread was closed, so I couldn't post an update there.

 

The vBulletin team have issued an announcement regarding a new patch level: vBulletin 5.5.X (5.5.2, 5.5.3, and 5.5.4) Security Patch Level 2

 

This one seems to be at least as critical as the previous issue last week.

 

If I read the notes correctly, all versions of vBulletin are affected unless it's updated to:

• 5.5.4 Patch Level 2
  
• 5.5.3 Patch Level 2
  
• 5.5.2 Patch Level 2
  

 

I'm guessing that vBulletin versions older than 5 would be affected as well (and by now they're probably as secure as cheese in a mouse cage anyway).

 

Comodo had data on some 170.000 accounts stolen from their vBulletin because they didn't patch quickly enough.

 

Thanks.

[BIGNEWY]

Hi Yurgon,

 

the team is aware, thanks for the post.

 

I have merged it with the first one.

 

Edit:

The exploit does not effect our version of vBulletin the team have checked

 

thank you

Edited October 10, 2019 by BIGNEWY