CVE-2017-17672

Name of the Vulnerable Software and Affected Versions vBulletin versions through 5.3.x

Description The issue is related to an unauthenticated deserialization vulnerability. This vulnerability can lead to arbitrary file deletion and, under certain circumstances, code execution. The vulnerability is due to the unsafe usage of PHP's unserialize() function in the vB Library Template's cacheTemplates() function. This function is part of a publicly exposed API. The templateidlist parameter in the "ajax/api/template/cacheTemplates" API endpoint is used to exploit this issue.

Recommendations For versions through 5.3.x, as a temporary workaround, consider disabling the cacheTemplates() function until a patch is available. Restrict access to the ajax/api/template/cacheTemplates API endpoint to minimize the risk of exploitation. Avoid using the templateidlist parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.