CVE-2004-1824
Description
A reflected XSS vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the 'what' parameter in memberlist.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the 'what' parameter in memberlist.php.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Jelsoft vBulletin versions prior to 3.0. The flaw is present in the memberlist.php script, where the what parameter is not properly sanitized before being reflected to the user. This allows an attacker to inject arbitrary web script or HTML. According to [2], the issue only affects versions before 3.0; versions 3.0 and later are not vulnerable through this particular parameter. The vulnerability is considered higher risk because, unlike many XSS issues, slashes are not added to special characters, allowing arbitrary input to execute successfully.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes XSS payloads in the what parameter of memberlist.php. The attacker does not require any authentication or special privileges; they only need to trick a victim into clicking the crafted link. For example, a URL like memberlist.php?action=getall&what=[XSS]<r=&perpage=25&orderby=username will reflect the injected script in the page output. The attack can also be combined with other parameters in other files, but this CVE focuses solely on the memberlist.php vector [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement of the page, or redirection to malicious sites. The impact is primarily on the confidentiality and integrity of user data; the attacker gains access to the victim's session and can perform actions as that user. The vulnerability does not directly provide server-side code execution or data manipulation beyond what the victim's browser can be made to do.
Mitigation
The vulnerability is fixed in Jelsoft vBulletin 3.0 and later versions. Users running any version prior to 3.0 should upgrade to a current, supported version. The vendor was notified and a fix was expected to be released [2]. As of the publication date (2004-12-31), no further workarounds have been documented aside from upgrading. The advisory from Secunia [1] confirms the existence of the vulnerability but does not provide additional mitigation details.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- secunia.com/advisories/11142nvdPatch
- www.securityfocus.com/bid/9887nvdExploit
- archives.neohapsis.com/archives/bugtraq/2002-11/0276.htmlnvd
- marc.infonvd
- securitytracker.com/idnvd
- www.iss.net/security_center/static/10679.phpnvd
- www.osvdb.org/4312nvd
- www.securityfocus.com/bid/6226nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/15495nvd
News mentions
0No linked articles in our index yet.