vBulletin through 5.5.4 Improper Input Validation Vulnerability

Foxit Studio Photo Out-of-bounds Read Vulnerability


vBulletin through 5.5.4 mishandles custom avatars.


The information has been provided by  Michael Vieth

The original article can be found at:http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html



User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

Vulnerable Systems:

vBulletin through 5.5.4

CVE Information:


Disclosure Timeline:
Published Date:10/04/2019