Security researcher publishes details and exploit code for a vBulletin zero-day

A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. This previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).

But a researcher has said that CVE-2019-16759 is inadequate in blocking exploitation and that he had found a simple way to bypass the patch to continue exploiting the same vulnerability, proven by him publishing three proofs-of-concept in Bash, Python, and Ruby.