Patch now your vBulletin install before hacker will target your forum

Maintainers of the vBulletin project have released an important fix to address a security vulnerability tracked as CVE-2020-12720.

Administrators of online discussion forums based on the popular vBulletin CMS urge to update their install to address a critical security vulnerability tracked as CVE-2020-12720.

“A security exploit has been reported within vBulletin 5.6.1. To fix this issue, we have created a new security patch.” reads the advisory published by vBulletin. “If you are using a version of vBulletin 5 Connect prior to 5.5.2, it is imperative that you upgrade as soon as possible.”

The vulnerability was reported to the development team by the security engineer Charles Fol, the expert will provide additional details during the SSTIC conference that is scheduled for the next month.

vBulletin released a patch addressing a critical vulnerability I reported through @ambionics. Patch your software. Details will be released during @sstic.— Charles Fol (@cfreal_) May 8, 2020The popular software is currently used by over 100,000 websites, including forums for multiple top companies and organizations.

Experts believe that after the disclosure of the critical vulnerability, hackers will intensify their attacks on the unpatched websites running on top of the popular CMS.

Threat actors could perform a reverse-engineering the security patch released by the organization to develop their own exploit.

According to the National Vulnerability Database (NVD), the vulnerability is the result of an incorrect access control issue that affects versions prior to 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1.

Forum administrators could install security updates for the following versions of vBulletin Connect:

5.6.1 Patch Level 15.6.0 Patch Level 15.5.6 Patch Level 1vBulletin maintainers are not aware of proof-of-concept code available online either attacks exploiting the issue in the wild.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – forum, hacking)

The post Patch now your vBulletin install before hacker will target your forum appeared first on Security Affairs.