CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 2CVE-2006-5104 – vBulletin 2.3.x - 'global.php' SQL Injection
https://notcve.org/view.php?id=CVE-2006-5104
02 Oct 2006 — SQL injection vulnerability in global.php in Jelsoft vBulletin 2.x allows remote attackers to execute arbitrary SQL commands via the templatesused parameter. Vulnerabilidad de inyección SQL en global.php en Jelsoft vBulletin 2.x permite a un atacante remoto ejecutar comandos SQL de su elección a través del parámetro templatesused. • https://www.exploit-db.com/exploits/28694 •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2006-4271
https://notcve.org/view.php?id=CVE-2006-4271
21 Aug 2006 — PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the step parameter. NOTE: the vendor has disputed this vulnerability, saying "The default vBulletin requires authentication prior to the usage of the upgrade system. ** IMPUGNADA ** Vulnerabilidad de inclusión remota de archivo en PHP en install/upgrade_301.php en Jelsoft vBulletin 3.5.4 permite a atacantes remotos ejecutar código PHP de su elección... • http://archives.neohapsis.com/archives/bugtraq/2006-07/0061.html •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 2CVE-2006-4273 – vBulletin 3.0.14 - 'global.php' Encoded Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-4273
21 Aug 2006 — Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 3.5.4 and 3.6.0 allows remote attackers to inject arbitrary web script or HTML by uploading an attachment with a .pdf extension that contains JavaScript, which is processed as script by Microsoft Internet Explorer 6. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Jelsoft vBulletin 3.5.4 y 3.6.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección enviando un adjunto con extensión .pdf que con... • https://www.exploit-db.com/exploits/28342 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2006-4272
https://notcve.org/view.php?id=CVE-2006-4272
21 Aug 2006 — Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled then the registrations wont even go through. ... if you are talking about the flood being allowed in the first place then surely this is something that should be handled at the server level. ** IMPUGNADA ** Jelsoft vBulletin 3.5.4 perm... • http://archives.neohapsis.com/archives/bugtraq/2006-08/0381.html •
CVSS: 6.1EPSS: 6%CPEs: 11EXPL: 2CVE-2006-3253 – vBulletin 3.0.9/3.5.x - 'member.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-3253
27 Jun 2006 — Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script or HTML via the u parameter. NOTE: the vendor has disputed this report, stating that they have been unable to replicate the issue and that "the userid parameter is run through our filtering system as an unsigned integer. ** IMPUGNADA ** Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados en member.php en vBulletin v3.5.x permite a atacantes remotos... • https://www.exploit-db.com/exploits/28076 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2006-2805 – vBulletin 3.0.10 - 'Portal.php' SQL Injection
https://notcve.org/view.php?id=CVE-2006-2805
03 Jun 2006 — SQL injection vulnerability in VBulletin 3.0.10 allows remote attackers to execute arbitrary SQL commands via the featureid parameter. • https://www.exploit-db.com/exploits/27929 •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 1CVE-2006-2335
https://notcve.org/view.php?id=CVE-2006-2335
12 May 2006 — Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x. NOTE: this issue might be due to direct static code injection. • http://b3hr0uz.persiangig.com/VbStyleVuln.txt •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 1CVE-2006-2018
https://notcve.org/view.php?id=CVE-2006-2018
25 Apr 2006 — SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4. • http://www.securityfocus.com/archive/1/431901 •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2006-1816
https://notcve.org/view.php?id=CVE-2006-1816
18 Apr 2006 — PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php. • http://secunia.com/advisories/19352 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2006-1673 – vBulletin 3.5.1 - 'Vbugs.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1673
07 Apr 2006 — Cross-site scripting (XSS) vulnerability in vbugs.php in Dark_Wizard vBug Tracker 3.5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the sortorder parameter. • https://www.exploit-db.com/exploits/27580 •