VYPR
Critical severity9.8NVD Advisory· Published Dec 14, 2017· Updated Jun 17, 2026

CVE-2017-17671

CVE-2017-17671

Description

vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file.

Affected products

5
  • Jelsoft/Vbulletininferred5 versions
    <=5.3.x+ 4 more
    • (no CPE)range: <=5.3.x
    • cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*range: >=5.0.1,<=5.3.3
    • cpe:2.3:a:vbulletin:vbulletin:5.0.0:beta_11:*:*:*:*:*:*
    • cpe:2.3:a:vbulletin:vbulletin:5.0.0:beta_28:*:*:*:*:*:*
    • (no CPE)range: <=5.3.x

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.