16 results (0.009 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el Panel de Control de Administración de vBulletin 5.7.5 y 6.0.0 permite a los atacantes ejecutar scripts web o HTML arbitrarias a través del parámetro de URL /login.php?do=login. • https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 85%CPEs: 4EXPL: 0

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. vBulletin versiones anteriores a 5.5.6pl1, versiones 5.6.0 anteriores a 5.6.0pl1 y versiones 5.6.1 anteriores a 5.6.1pl1, presenta un control de acceso incorrecto. vBulletin version 5.6.1 suffers from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html https://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-control https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1 - • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-306: Missing Authentication for Critical Function •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. vBulletin versión 5.5.4, permite la inyección de SQL por medio del parámetro where del archivo ajax/api/hook/getHookList o ajax/api/widget/getWidgetList. vBulletin versions 5.5.4 and below suffer from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/154758/vBulletin-5.5.4-SQL-Injection.html https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 1

vBulletin through 5.5.4 mishandles custom avatars. vBulletin versiones hasta 5.5.4, maneja inapropiadamente los avatars personalizados. vBulletin versions 5.5.4 and below suffers from an updateAvatar remote code execution vulnerability. • https://www.exploit-db.com/exploits/47475 http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Oct/9 https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

vBulletin before 5.5.4 allows clickjacking. vBulletin versiones anteriores a 5.5.4, permite llevar a cabo el secuestro del cliqueo. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4421373-vbulletin-connect-5-5-4-is-now-available-for-download • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •