vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability


• Affected Versions:

Version 5.5.4 and prior versions.

• Vulnerability Description:

User input passed through the “data[extension]" and “data[filedata]" parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

• Proof of Concept:


• Solution:

Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or later.

• Disclosure Timeline:

[30/09/2019] – Vendor notified

[03/10/2019] – Patch released: https://bit.ly/2OptAzI

[04/10/2019] – CVE number assigned

[07/10/2019] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-17132 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.