CVSS: 7.5EPSS: 74%CPEs: 2EXPL: 2CVE-2013-6129 – vBulletin 4.1.x - '/install/upgrade.php' Security Bypass
https://notcve.org/view.php?id=CVE-2013-6129
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013. Los scripts install/upgrade.php en vBulletin 4.1 y 5 permite a atacantes remotos crear cuentas administrativas a traves de los parámetros customerid, htmldata[password], htmldata[confirmpassword], y htmldata[email], como fue explotado activamente en Octubre 2013. • https://www.exploit-db.com/exploits/38785 http://www.net-security.org/secworld.php?id=15743 http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2012-4686 – vBulletin 4.1.10 - 'announcementid' SQL Injection
https://notcve.org/view.php?id=CVE-2012-4686
SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter. Vulnerabilidad de inyección SQL en announcement.php en vBulletin v4.1.10 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro announcementid. • https://www.exploit-db.com/exploits/37062 http://archives.neohapsis.com/archives/bugtraq/2012-04/0042.html http://osvdb.org/80962 http://www.securityfocus.com/bid/52897 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2012-4328
https://notcve.org/view.php?id=CVE-2012-4328
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. Una vulnerabilidad no especificada en MAPI en vBulletin Suite v4.1.2 a v4.1.12, Forum v4.1.2 a 4.1.12, y el plugin MAPI v1.4.3 para vBulletin v3.x tiene un impacto y vectores de ataque desconocidos. • http://osvdb.org/81474 http://secunia.com/advisories/48917 http://www.securityfocus.com/bid/53226 https://exchange.xforce.ibmcloud.com/vulnerabilities/75160 https://www.vbulletin.com/forum/showthread.php/400162-vBulletin-3-x-MAPI-Plugin-1-4-3-released-with-security-patch-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400164-vBulletin-Security-Patch-for-vBulletin-4-1-2-4-1-11-for-Suite-amp-Forum-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security&# •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3844
https://notcve.org/view.php?id=CVE-2012-3844
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en vBulletin v4.1.12, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de una cadena larga en el parámetro subject cuando se crea una publicación. • http://hauntit.blogspot.com/2012/04/en-vbulletin-4112-cross-site-scripting.html http://packetstormsecurity.org/files/112385/vBulletin-4.1.12-Cross-Site-Scripting.html http://www.securityfocus.com/bid/53319 https://exchange.xforce.ibmcloud.com/vulnerabilities/75325 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0CVE-2011-5251 – vBulletin 4.1.3 Open Redirect
https://notcve.org/view.php?id=CVE-2011-5251
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. Vulnerabilidad de redirección abierta en forum/login.php en vBulletin v4.1.3 y anteriores, permite a atacantes remotos redirigir a usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través del parámetro url en una acción lostpw. vBulletin versions 3 through 4.1.3 suffer from an open redirect vulnerability. • http://www.vbulletin.com/forum/showthread.php/381014-Potential-Phishing-Vector?p=2166441 • CWE-20: Improper Input Validation •