CVSS: 3.5EPSS: 0%CPEs: 7EXPL: 5CVE-2014-2021 – vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-2021
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name. Vulnerabilidad de XSS en admincp/apilog.php en vBulletin 4.2.2 y versiones anteriores y 5.0.x hasta la versión 5.0.5 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de una petición API XMLRPC manipulada, según lo demostrado usando el nombre client. vBulletin versions 5.x and 4.x suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/40114 http://packetstormsecurity.com/files/128691/vBulletin-5.x-4.x-Persistent-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Oct/55 http://seclists.org/fulldisclosure/2014/Oct/63 http://www.securityfocus.com/bid/70577 http://www.securitytracker.com/id/1031000 https://exchange.xforce.ibmcloud.com/vulnerabilities/97026 https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2012-4328
https://notcve.org/view.php?id=CVE-2012-4328
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. Una vulnerabilidad no especificada en MAPI en vBulletin Suite v4.1.2 a v4.1.12, Forum v4.1.2 a 4.1.12, y el plugin MAPI v1.4.3 para vBulletin v3.x tiene un impacto y vectores de ataque desconocidos. • http://osvdb.org/81474 http://secunia.com/advisories/48917 http://www.securityfocus.com/bid/53226 https://exchange.xforce.ibmcloud.com/vulnerabilities/75160 https://www.vbulletin.com/forum/showthread.php/400162-vBulletin-3-x-MAPI-Plugin-1-4-3-released-with-security-patch-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400164-vBulletin-Security-Patch-for-vBulletin-4-1-2-4-1-11-for-Suite-amp-Forum-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security&# •
CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0CVE-2011-5251 – vBulletin 4.1.3 Open Redirect
https://notcve.org/view.php?id=CVE-2011-5251
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. Vulnerabilidad de redirección abierta en forum/login.php en vBulletin v4.1.3 y anteriores, permite a atacantes remotos redirigir a usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través del parámetro url en una acción lostpw. vBulletin versions 3 through 4.1.3 suffer from an open redirect vulnerability. • http://www.vbulletin.com/forum/showthread.php/381014-Potential-Phishing-Vector?p=2166441 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2007-2912
https://notcve.org/view.php?id=CVE-2007-2912
Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user. Vulnerabilidad no especificada en Jelsoft vBulletin anterior a 3.6.6, se deshabilita la infracción de permisos de usuarios no autenticados, permite a atacantes remotos ver la "bandera roja" de la infracción para un usuario eliminado. • http://osvdb.org/38616 http://www.vbulletin.com/forum/project.php?issueid=21481 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2007-2908 – vBulletin 3.6.6 - 'calendar.php' HTML Injection
https://notcve.org/view.php?id=CVE-2007-2908
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbitrary web script or HTML via the title field in a single add action. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en calendar.php de Jelsoft vBulletin versiones anteriores a 3.6.6, permite a atacantes remotos inyectar scripts web o HTML de su elección mediante el campo title en un acción add simple. • https://www.exploit-db.com/exploits/30047 http://osvdb.org/35155 http://secunia.com/advisories/25309 http://securityreason.com/securityalert/2751 http://www.securityfocus.com/archive/1/468731/100/0/threaded http://www.securityfocus.com/bid/24020 https://exchange.xforce.ibmcloud.com/vulnerabilities/34333 •