1name: crowdsecurity/vpatch-CVE-2020-17496
2description: "vBulletin RCE (CVE-2020-17496)"
3rules:
4  - and:
5    - zones:
6      - URI
7      transform:
8      - lowercase
9      match:
10        type: endsWith
11        value: /ajax/render/widget_tabbedcontainer_tab_panel
12    - zones:
13      - METHOD
14      match:
15        type: equals
16        value: POST
17    - zones:
18      - BODY_ARGS
19      variables:
20      - /subwidgets\[[0-9]+\]\[template\]/
21      match:
22        type: equals
23        value: widget_php
24    - zones:
25      - BODY_ARGS_NAMES
26      match:
27        type: regex
28        value: subWidgets\[[0-9]+\]\[config\]\[code\]
29
30labels:
31  type: exploit
32  service: http
33  confidence: 3
34  spoofable: 0
35  behavior: "http:exploit"
36  label: "vBulletin RCE"
37  classification:
38   - cve.CVE-2020-17496
39   - attack.T1595
40   - attack.T1190
41   - cwe.CWE-74