CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2014-5102
https://notcve.org/view.php?id=CVE-2014-5102
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. Vulnerabilidad de inyección SQL en vBulletin 5.0.4 hasta 5.1.3 Alpha 5 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro criteria[startswith] en ajax/render/memberlist_items. • http://packetstormsecurity.com/files/127537/vBulletin-5.1.2-SQL-Injection.html http://www.pcworld.com/article/2455500/emergency-vbulletin-patch-fixes-dangerous-sql-injection-vulnerability.html http://www.securityfocus.com/bid/68709 http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3135
https://notcve.org/view.php?id=CVE-2014-3135
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi-importante/rst-power/67030-rst-admin-restore. Múltiples vulnerabilidades de XSS en vBulletin 5.1.1 Alpha 9 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) PATH_INFO hacia privatemessage/new/, (2) el parámetro folderid hacia un mensaje privado en privatemessage/view, (3) un indicador de fragmento hacia /help o (4) el parámetro view hacia un tema, tal y como fue demostrado por una solicitud hacia forum/anunturi-importante/rst-power/67030-rst-admin-restore. • http://packetstormsecurity.com/files/126226/vBulletin-5.1-Cross-Site-Scripting.html http://www.securityfocus.com/bid/66972 https://exchange.xforce.ibmcloud.com/vulnerabilities/92664 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 78%CPEs: 2EXPL: 2CVE-2013-6129 – vBulletin 4.1.x - '/install/upgrade.php' Security Bypass
https://notcve.org/view.php?id=CVE-2013-6129
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013. Los scripts install/upgrade.php en vBulletin 4.1 y 5 permite a atacantes remotos crear cuentas administrativas a traves de los parámetros customerid, htmldata[password], htmldata[confirmpassword], y htmldata[email], como fue explotado activamente en Octubre 2013. • https://www.exploit-db.com/exploits/38785 http://www.net-security.org/secworld.php?id=15743 http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 38%CPEs: 2EXPL: 3CVE-2013-3522 – vBulletin 5 - 'index.php/ajax/api/reputation/vote?nodeid' SQL Injection
https://notcve.org/view.php?id=CVE-2013-3522
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter. Vulnerabilidad de inyección SQL en index.php/ajax/api/reputation/vote en vBulletin v5.0.0 Beta 11, v5.0.0 Beta 28, y anteriores permite a usuarios remotos autenticados ejecutar comandos SQL a través del parámetro "nodeid". • https://www.exploit-db.com/exploits/30212 https://www.exploit-db.com/exploits/24882 http://www.exploit-db.com/exploits/24882 http://www.osvdb.org/92031 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2012-4686 – vBulletin 4.1.10 - 'announcementid' SQL Injection
https://notcve.org/view.php?id=CVE-2012-4686
SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter. Vulnerabilidad de inyección SQL en announcement.php en vBulletin v4.1.10 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro announcementid. • https://www.exploit-db.com/exploits/37062 http://archives.neohapsis.com/archives/bugtraq/2012-04/0042.html http://osvdb.org/80962 http://www.securityfocus.com/bid/52897 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •