In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP’s unserialize() in vB_Library_Template’s cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
CPE | Name | Operator | Version |
---|---|---|---|
vbulletin | eq | 5.0.0 beta-28 | |
vbulletin | eq | 5.0.0 beta-11 | |
vbulletin | ge | 5.0.1 | |
vbulletin | le | 5.3.3 |