CVE-2023-39777
https://notcve.org/view.php?id=CVE-2023-39777
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en el Panel de Control de Administración de vBulletin 5.7.5 y 6.0.0 permite a los atacantes ejecutar scripts web o HTML arbitrarias a través del parámetro de URL /login.php?do=login. • https://gist.github.com/GiongfNef/8fe658dce4c7fcf3a7b4e6387e50141c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-17271 – vBulletin 5.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2019-17271
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. vBulletin versión 5.5.4, permite la inyección de SQL por medio del parámetro where del archivo ajax/api/hook/getHookList o ajax/api/widget/getWidgetList. vBulletin versions 5.5.4 and below suffer from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/154758/vBulletin-5.5.4-SQL-Injection.html https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-17132 – vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-17132
vBulletin through 5.5.4 mishandles custom avatars. vBulletin versiones hasta 5.5.4, maneja inapropiadamente los avatars personalizados. vBulletin versions 5.5.4 and below suffers from an updateAvatar remote code execution vulnerability. • https://www.exploit-db.com/exploits/47475 http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Oct/9 https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-17131
https://notcve.org/view.php?id=CVE-2019-17131
vBulletin before 5.5.4 allows clickjacking. vBulletin versiones anteriores a 5.5.4, permite llevar a cabo el secuestro del cliqueo. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4421373-vbulletin-connect-5-5-4-is-now-available-for-download • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2019-17130
https://notcve.org/view.php?id=CVE-2019-17130
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. vBulletin versiones hasta 5.5.4, maneja inapropiadamente las URL externas dentro del archivo /core/vb/vurl.php y los directorios /core/vb/vurl. • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423391-vbulletin-5-5-5-alpha-4-available-for-download • CWE-552: Files or Directories Accessible to External Parties •