CVE-2019-16759
Published: 24 September 2019
Summary
CVE-2019-16759 is a critical-severity Code Injection (CWE-94) vulnerability in Vbulletin Vbulletin. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
vBulletin versions 5.x through 5.5.4 contain a remote code execution vulnerability tracked as CVE-2019-16759 and assigned CWE-94. The flaw resides in the handling of the widgetConfig[code] parameter within requests routed to ajax/render/widget_php, enabling injection of arbitrary PHP code that is subsequently executed by the application.
Unauthenticated attackers can exploit the issue over the network by submitting a specially crafted HTTP request containing malicious code in the widgetConfig[code] field. Successful exploitation grants full control over the target server, including the ability to read, modify, or delete data and execute operating-system commands, consistent with the CVSS 9.8 rating reflecting no required privileges or user interaction.
Public exploit code for this vulnerability has been released on multiple occasions via PacketStorm, confirming that working proof-of-concept implementations are readily available to potential attackers. No official patch or mitigation details are referenced in the supplied sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-7294
Vulnerability details
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks injection of arbitrary PHP via the widgetConfig[code] parameter by enforcing validation of all inputs to the ajax/render/widget_php route before execution.
Disables or restricts the dangerous widget_php rendering functionality and server-side code execution capability that the vulnerability relies on.
Requires prompt application of vendor patches that eliminate the widgetConfig code-injection flaw in vBulletin 5.x.