Page 6 of 55 results (0.003 seconds)

CVSS: 5.0EPSS: 5%CPEs: 3EXPL: 0

PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php. • http://secunia.com/advisories/19352 http://www.osvdb.org/24690 http://www.osvdb.org/24691 http://www.osvdb.org/24692 http://www.securityfocus.com/archive/1/430881/100/0/threaded http://www.securityfocus.com/archive/1/467666/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/25789 https://exchange.xforce.ibmcloud.com/vulnerabilities/34095 •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2

Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php. • https://www.exploit-db.com/exploits/27343 http://secunia.com/advisories/19100 http://www.kapda.ir/advisory-266.html http://www.osvdb.org/23614 http://www.securityfocus.com/archive/1/426537/100/0/threaded http://www.securityfocus.com/archive/1/426589/100/0/threaded http://www.securityfocus.com/bid/16919 http://www.vbulletin.com/forum/showthread.php?postid=1079030 http://www.vupen.com/english/advisories/2006/0808 •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php. • http://kapda.ir/advisory-177.html http://secunia.com/advisories/18299 http://www.osvdb.org/22210 http://www.osvdb.org/22220 http://www.securityfocus.com/archive/1/420663/100/0/threaded http://www.securityfocus.com/archive/1/421310/100/0/threaded http://www.securityfocus.com/bid/16116 http://www.vupen.com/english/advisories/2006/0033 •

CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0

Cross-site scripting (XSS) vulnerability in the editavatar page in vBulletin 3.5.1 allows remote attackers to inject arbitrary web script or HTML via a URL in the remote avatar url field, in which the URL generates a parsing error, and possibly requiring a trailing extension such as .jpg. • http://pridels0.blogspot.com/2005/11/vbulletin-351-xss-vuln.html http://www.osvdb.org/21373 http://www.securityfocus.com/bid/16128 http://www.vbulletin.com/forum/showthread.php?t=166391 •

CVSS: 7.5EPSS: 0%CPEs: 33EXPL: 1

Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) announcement parameter to announcement.php, the (2) thread[forumid] or (3) criteria parameters to thread.php, (4) userid parameter to user.php, the (5) calendarcustomfieldid, (6) calendarid, (7) moderatorid, (8) holidayid, (9) calendarmoderatorid, or (10) calendar[0] parameters to admincalendar.php, (11) the cronid parameter to cronlog.php, (12) user[usergroupid][0] parameter to email.php, (13) help[0] parameter to help.php, the (14) limitnumber or (15) limitstart parameter to user.php, the (16) usertitleid or (17) ids parameters to usertitle.php, (18) rvt[0] parameter to language.php, (19) keep[0] parameter to phrase.php, (20) dostyleid parameter to template.php, (21) thread[forumid] parameter to thread.php, or (22) usertools.php. • http://marc.info/?l=bugtraq&m=112732980702939&w=2 http://morph3us.org/advisories/20050917-vbulletin-3.0.7.txt •