After releasing a patch for a critical zero-day remote code execution vulnerability late last month, vBulletin has recently published a new security patch update that addresses 3 more high-severity vulnerabilities in its forum software.
If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take complete control over targeted web servers and steal sensitive user information.
Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271.
images from Hacker News