vBulletin is a web-based forum application implemented in PHP.
A Server Side Request Forgery(SSRF) vulnerability has been identified in media uploads in vBulletin which allows remote code execution.
vBulletin version 5.2.2 and earlier
vBulletin version 4.2.3 and earlier
vBulletin version 3.8.9 and earlier
A remote attacker could exploit this vulnerability to gain complete access of the system.
Customers are advised to upgrade to vBulletin 3.8.10 Beta/vBulletin 4.2.4 Beta/vBulletin 5.2.3. Additionally, the vendor has also released following patches.
Please refer to 4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta for detailed information.
Please refer to 4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta for detailed information.
Please refer to 4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2 for detailed information.
Following are links for downloading patches to fix the vulnerabilities: