CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39777
https://notcve.org/view.php?id=CVE-2023-39777
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el Panel de Control de Administración de vBulletin 5.7.5 y 6.0.0 permite a los atacantes ejecutar scripts web o HTML arbitrarias a través del parámetro de URL /login.php?do=login. • https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 71%CPEs: 3EXPL: 1CVE-2023-25135
https://notcve.org/view.php?id=CVE-2023-25135
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25115
https://notcve.org/view.php?id=CVE-2020-25115
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. El Admin CP en vBulletin versión 5.6.3, permite un ataque de tipo XSS por medio de un título Occupation o Description en User Profile Field Manager • https://pentest-vincent.blogspot.com/2020/09/vbulletin-563-multiple-persistent-cross.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25116
https://notcve.org/view.php?id=CVE-2020-25116
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. El Admin CP en vBulletin versión 5.6.3, permite un ataque de tipo XSS por medio de un Título Announcement en Channel Manager • https://pentest-vincent.blogspot.com/2020/09/vbulletin-563-multiple-persistent-cross.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25117
https://notcve.org/view.php?id=CVE-2020-25117
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. El Admin CP en vBulletin versión 5.6.3, permite un ataque de tipo XSS por medio de un Título Junior Member en User Title Manager • https://pentest-vincent.blogspot.com/2020/09/vbulletin-563-multiple-persistent-cross.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •