Vbulletin
by Jelsoft
CVEs (104)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-25124 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | |||
| CVE-2019-17271 | 0.00 | — | 0.01 | Oct 8, 2019 | vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | |||
| CVE-2019-17131 | 0.00 | — | 0.01 | Oct 4, 2019 | vBulletin before 5.5.4 allows clickjacking. | |||
| CVE-2019-17130 | 0.00 | — | 0.01 | Oct 4, 2019 | vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | |||
| CVE-2018-15493 | 0.00 | — | 0.01 | Oct 17, 2018 | vBulletin 5.4.3 has an Open Redirect. | |||
| CVE-2014-9438 | 0.00 | — | 0.01 | Jan 2, 2015 | Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2)… | |||
| CVE-2014-8670 | 0.00 | — | 0.02 | Nov 6, 2014 | Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | |||
| CVE-2014-5102 | 0.00 | — | 0.01 | Jul 25, 2014 | SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. | |||
| CVE-2014-3135 | 0.00 | — | 0.02 | Apr 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment… | |||
| CVE-2011-5251 | 0.00 | — | 0.02 | Dec 31, 2012 | Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. | |||
| CVE-2012-4328 | 0.00 | — | 0.02 | Aug 14, 2012 | Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. | |||
| CVE-2012-3844 | 0.00 | — | 0.01 | Jul 3, 2012 | Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post. | |||
| CVE-2008-6256 | 0.00 | — | 0.01 | Feb 24, 2009 | SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | |||
| CVE-2008-6255 | 0.00 | — | 0.01 | Feb 24, 2009 | Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3)… | |||
| CVE-2008-2460 | 0.00 | — | 0.01 | May 27, 2008 | SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action. | |||
| CVE-2007-4453 | 0.00 | — | 0.01 | Aug 21, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php,… | |||
| CVE-2007-4120 | 0.00 | — | 0.02 | Aug 1, 2007 | Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3)… | |||
| CVE-2007-3326 | 0.00 | — | 0.01 | Jun 21, 2007 | Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php,… | |||
| CVE-2007-2911 | 0.00 | — | 0.01 | May 30, 2007 | SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573. | |||
| CVE-2007-2909 | 0.00 | — | 0.01 | May 30, 2007 | Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update. |
- CVE-2020-25124Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
- CVE-2019-17271Oct 8, 2019risk 0.00cvss —epss 0.01
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
- CVE-2019-17131Oct 4, 2019risk 0.00cvss —epss 0.01
vBulletin before 5.5.4 allows clickjacking.
- CVE-2019-17130Oct 4, 2019risk 0.00cvss —epss 0.01
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
- CVE-2018-15493Oct 17, 2018risk 0.00cvss —epss 0.01
vBulletin 5.4.3 has an Open Redirect.
- CVE-2014-9438Jan 2, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2)…
- CVE-2014-8670Nov 6, 2014risk 0.00cvss —epss 0.02
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
- CVE-2014-5102Jul 25, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.
- CVE-2014-3135Apr 30, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment…
- CVE-2011-5251Dec 31, 2012risk 0.00cvss —epss 0.02
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action.
- CVE-2012-4328Aug 14, 2012risk 0.00cvss —epss 0.02
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors.
- CVE-2012-3844Jul 3, 2012risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.
- CVE-2008-6256Feb 24, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022.
- CVE-2008-6255Feb 24, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3)…
- CVE-2008-2460May 27, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.
- CVE-2007-4453Aug 21, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php,…
- CVE-2007-4120Aug 1, 2007risk 0.00cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3)…
- CVE-2007-3326Jun 21, 2007risk 0.00cvss —epss 0.01
Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php,…
- CVE-2007-2911May 30, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573.
- CVE-2007-2909May 30, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update.
Page 4 of 6