Administrators of online discussion forums based on the popular vBulletin CMS urge to update their install to address a critical security vulnerability tracked as CVE-2020-12720.
“A security exploit has been reported within vBulletin 5.6.1. To fix this issue, we have created a new security patch.” reads the advisory published by vBulletin. “If you are using a version of vBulletin 5 Connect prior to 5.5.2, it is imperative that you upgrade as soon as possible.”
The vulnerability was reported to the development team by the security engineer Charles Fol, the expert will provide additional details during the SSTIC conference that is scheduled for the next month.
The popular software is currently used by over 100,000 websites, including forums for multiple top companies and organizations.
Experts believe that after the disclosure of the critical vulnerability, hackers will intensify their attacks on the unpatched websites running on top of the popular CMS.
Threat actors could perform a reverse-engineering the security patch released by the organization to develop their own exploit.
According to the National Vulnerability Database (NVD), the vulnerability is the result of an incorrect access control issue that affects versions prior to 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1.
Forum administrators could install security updates for the following versions of vBulletin Connect:
vBulletin maintainers are not aware of proof-of-concept code available online either attacks exploiting the issue in the wild.
(SecurityAffairs – forum, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.