CVE-2020-17496

Name of the Vulnerable Software and Affected Versions vBulletin versions 5.5.4 through 5.6.2

Description The issue allows remote command execution via crafted subWidgets data in an "ajax/render/widget tabbedcontainer tab panel" request. This is due to an incomplete fix for a previous issue. The vulnerability can be exploited by a remote attacker to execute arbitrary commands. It has been reported that this issue is being actively exploited in the wild.

Recommendations For versions 5.5.4 through 5.6.2, consider disabling the ajax/render/widget tabbedcontainer tab panel request until a patch is available. Restrict access to the subWidgets data to minimize the risk of exploitation.