CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39777
https://notcve.org/view.php?id=CVE-2023-39777
16 Sep 2023 — A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el Panel de Control de Administración de vBulletin 5.7.5 y 6.0.0 permite a los atacantes ejecutar scripts web o HTML arbitrarias a través del parámetro de URL /login.php?do=login. • https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 2CVE-2019-17271 – vBulletin 5.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2019-17271
07 Oct 2019 — vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. vBulletin versión 5.5.4, permite la inyección de SQL por medio del parámetro where del archivo ajax/api/hook/getHookList o ajax/api/widget/getWidgetList. vBulletin versions 5.5.4 and below suffer from multiple remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/154758 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 31%CPEs: 1EXPL: 2CVE-2019-17132 – vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-17132
04 Oct 2019 — vBulletin through 5.5.4 mishandles custom avatars. vBulletin versiones hasta 5.5.4, maneja inapropiadamente los avatars personalizados. vBulletin versions 5.5.4 and below suffers from an updateAvatar remote code execution vulnerability. • https://packetstorm.news/files/id/154759 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17131
https://notcve.org/view.php?id=CVE-2019-17131
04 Oct 2019 — vBulletin before 5.5.4 allows clickjacking. vBulletin versiones anteriores a 5.5.4, permite llevar a cabo el secuestro del cliqueo. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4421373-vbulletin-connect-5-5-4-is-now-available-for-download • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17130
https://notcve.org/view.php?id=CVE-2019-17130
04 Oct 2019 — vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. vBulletin versiones hasta 5.5.4, maneja inapropiadamente las URL externas dentro del archivo /core/vb/vurl.php y los directorios /core/vb/vurl. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423391-vbulletin-5-5-5-alpha-4-available-for-download • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 13%CPEs: 2EXPL: 1CVE-2018-6200
https://notcve.org/view.php?id=CVE-2018-6200
25 Jan 2018 — vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter. vBulletin 3.x.x y 4.2.x hasta la versión 4.2.5 tiene una redirección abierta medinte el parámetro url en redirector.php. • https://cxsecurity.com/issue/WLB-2018010251 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 10%CPEs: 2EXPL: 2CVE-2014-9463 – vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection
https://notcve.org/view.php?id=CVE-2014-9463
15 Sep 2017 — functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php. functions_vbseo_hook.php en el módulo VBSEO para vBulletin permite que usuarios autenticados remotos ejecuten código arbitrario mediante la cabecera HTTP Referer a visitormessage.php. • https://www.exploit-db.com/exploits/36232 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7569
https://notcve.org/view.php?id=CVE-2017-7569
06 Apr 2017 — In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037. En vBulletin en versiones anteriores a 5.3.0, atacantes remotos pueden pasar por alto el parche CVE-2016-6483 y realizar ataques SSRF aprovechando el comportamiento de la función parse_url de PHP, también conocido como VBV-17037. • https://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4367744-vbulletin-5-3-0-connect-is-now-available • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 85%CPEs: 2EXPL: 1CVE-2016-6195 – vBulletin 3.6.0 < 4.2.3 - 'ForumRunner' SQL Injection
https://notcve.org/view.php?id=CVE-2016-6195
30 Aug 2016 — SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016. Vulnerabilidad de inyección SQL en forumrunner/includes/moderation.php en vBulletin en versiones anteriores a 4.2.2 Patch Level 5 y 4.2.3 en versiones anteriores a Patch Level 1 permite a atacantes remotos ejecutar comandos... • https://www.exploit-db.com/exploits/40751 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 1CVE-2014-9469 – vBulletin 5.1.3 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-9469
13 Feb 2015 — Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5 y 5.1.3. vBulletin versions 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3 suffer from a cross site scripting vulnerability. • https://packetstorm.news/files/id/130393 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •