CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2023-25135

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.929

EPSS Ranking 99.8%

CVSS Severity

CVSS v3 Score 9.8

References

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch
https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch
https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable

Products affected by CVE-2023-25135

Vbulletin » Vbulletin » Version: 5.6.7

cpe:2.3:a:vbulletin:vbulletin:5.6.7
Vbulletin » Vbulletin » Version: 5.6.8

cpe:2.3:a:vbulletin:vbulletin:5.6.8
Vbulletin » Vbulletin » Version: 5.6.9

cpe:2.3:a:vbulletin:vbulletin:5.6.9

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-25135

Products

Pricing

Contact Us