CVSS: 3.5EPSS: 0%CPEs: 7EXPL: 5CVE-2014-2021 – vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-2021
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name. Vulnerabilidad de XSS en admincp/apilog.php en vBulletin 4.2.2 y versiones anteriores y 5.0.x hasta la versión 5.0.5 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de una petición API XMLRPC manipulada, según lo demostrado usando el nombre client. vBulletin versions 5.x and 4.x suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/40114 http://packetstormsecurity.com/files/128691/vBulletin-5.x-4.x-Persistent-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Oct/55 http://seclists.org/fulldisclosure/2014/Oct/63 http://www.securityfocus.com/bid/70577 http://www.securitytracker.com/id/1031000 https://exchange.xforce.ibmcloud.com/vulnerabilities/97026 https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2012-4328
https://notcve.org/view.php?id=CVE-2012-4328
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. Una vulnerabilidad no especificada en MAPI en vBulletin Suite v4.1.2 a v4.1.12, Forum v4.1.2 a 4.1.12, y el plugin MAPI v1.4.3 para vBulletin v3.x tiene un impacto y vectores de ataque desconocidos. • http://osvdb.org/81474 http://secunia.com/advisories/48917 http://www.securityfocus.com/bid/53226 https://exchange.xforce.ibmcloud.com/vulnerabilities/75160 https://www.vbulletin.com/forum/showthread.php/400162-vBulletin-3-x-MAPI-Plugin-1-4-3-released-with-security-patch-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400164-vBulletin-Security-Patch-for-vBulletin-4-1-2-4-1-11-for-Suite-amp-Forum-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security&# •
CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0CVE-2011-5251 – vBulletin 4.1.3 Open Redirect
https://notcve.org/view.php?id=CVE-2011-5251
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. Vulnerabilidad de redirección abierta en forum/login.php en vBulletin v4.1.3 y anteriores, permite a atacantes remotos redirigir a usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través del parámetro url en una acción lostpw. vBulletin versions 3 through 4.1.3 suffer from an open redirect vulnerability. • http://www.vbulletin.com/forum/showthread.php/381014-Potential-Phishing-Vector?p=2166441 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2911
https://notcve.org/view.php?id=CVE-2007-2911
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573. Vulnerabilidad de inyección SQL en admincp/attachment.php en Jelsoft vBulletin anterior a 3.6.6 permite a administradores remotos autenticados ejecutar código PHP de su elección mediante el campo "Attached After" (variable GPC['search']['datelineafter']), un asunto relacionado con CVE-2007-1573. • http://osvdb.org/38147 http://www.vbulletin.com/forum/project.php?issueid=21615 https://exchange.xforce.ibmcloud.com/vulnerabilities/34784 •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2007-2912
https://notcve.org/view.php?id=CVE-2007-2912
Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user. Vulnerabilidad no especificada en Jelsoft vBulletin anterior a 3.6.6, se deshabilita la infracción de permisos de usuarios no autenticados, permite a atacantes remotos ver la "bandera roja" de la infracción para un usuario eliminado. • http://osvdb.org/38616 http://www.vbulletin.com/forum/project.php?issueid=21481 •