VYPR

Vendor CVEs

Jelsoft

All CVEs

118 total · sorted by risk
  • CVE-2004-2288Dec 31, 2004
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter.

  • CVE-2004-1515Dec 31, 2004
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php.

  • CVE-2004-0620Dec 6, 2004
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel.

  • CVE-2003-1031Feb 17, 2004
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as (1) "Interests-Hobbies", (2) "Biography", or (3) "Occupation."

  • CVE-2003-0295Jun 16, 2003
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web script and HTML via the "Preview Message" capability.

  • CVE-2002-1922Dec 31, 2002
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in global.php in Jelsoft vBulletin 2.0.0 through 2.2.8 allows remote attackers to inject arbitrary web script or HTML via the (1) $scriptpath or (2) $url variables.

  • CVE-2002-2235Dec 31, 2002
    risk 0.03cvss epss 0.02

    member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks.

  • CVE-2025-46171Jul 23, 2025
    risk 0.00cvss epss 0.00

    vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.

  • CVE-2023-39777Sep 16, 2023
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.

  • CVE-2014-125086Feb 6, 2023
    risk 0.00cvss epss 0.01

    A vulnerability has been found in Gimmie Plugin 1.2.2 on vBulletin and classified as critical. Affected by this vulnerability is an unknown functionality of the file trigger_login.php. The manipulation of the argument userid leads to sql injection. Upgrading to version 1.3.0 is…

  • CVE-2014-125085Feb 5, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, was found in Gimmie Plugin 1.2.2 on vBulletin. Affected is an unknown function of the file trigger_ratethread.php. The manipulation of the argument t/postusername leads to sql injection. Upgrading to version 1.3.0 is able to…

  • CVE-2014-125084Feb 5, 2023
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as critical, has been found in Gimmie Plugin 1.2.2 on vBulletin. This issue affects some unknown processing of the file trigger_referral.php. The manipulation of the argument referrername leads to sql injection. Upgrading to version 1.3.0 is…

  • CVE-2020-25115Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.

  • CVE-2020-25116Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.

  • CVE-2020-25117Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.

  • CVE-2020-25119Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.

  • CVE-2020-25120Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.

  • CVE-2020-25121Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.

  • CVE-2020-25122Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.

  • CVE-2020-25123Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.

  • CVE-2020-25124Sep 3, 2020
    risk 0.00cvss epss 0.01

    The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.

  • CVE-2019-17271Oct 8, 2019
    risk 0.00cvss epss 0.01

    vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.

  • CVE-2019-17131Oct 4, 2019
    risk 0.00cvss epss 0.01

    vBulletin before 5.5.4 allows clickjacking.

  • CVE-2019-17130Oct 4, 2019
    risk 0.00cvss epss 0.01

    vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.

  • CVE-2018-15493Oct 17, 2018
    risk 0.00cvss epss 0.01

    vBulletin 5.4.3 has an Open Redirect.

  • CVE-2014-9438Jan 2, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2)…

  • CVE-2014-8670Nov 6, 2014
    risk 0.00cvss epss 0.02

    Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

  • CVE-2014-5102Jul 25, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

  • CVE-2014-3135Apr 30, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment…

  • CVE-2011-5251Dec 31, 2012
    risk 0.00cvss epss 0.02

    Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action.

  • CVE-2012-4328Aug 14, 2012
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors.

  • CVE-2012-3844Jul 3, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.

  • CVE-2008-6754Apr 27, 2009
    risk 0.00cvss epss 0.01

    The Personal Sticky Threads addon 1.0.3c for vBulletin allows remote authenticated users to read the title, author, and pages of an arbitrary thread by toggling a personal sticky.

  • CVE-2008-6256Feb 24, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022.

  • CVE-2008-6255Feb 24, 2009
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3)…

  • CVE-2008-2460May 27, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.

  • CVE-2007-4959Sep 18, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in catalog_products_with_images.php in osCMax 2.0.0-RC3-0-1 allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2007-4453Aug 21, 2007
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php,…

  • CVE-2007-4120Aug 1, 2007
    risk 0.00cvss epss 0.02

    Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3)…

  • CVE-2007-3326Jun 21, 2007
    risk 0.00cvss epss 0.01

    Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php,…

  • CVE-2007-3197Jun 12, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in vBSupport.php in vBSupport 1.1 before 1.1a allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2007-2911May 30, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573.

  • CVE-2007-2909May 30, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update.

  • CVE-2007-2912May 30, 2007
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user.

  • CVE-2007-2910May 30, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.6.7 PL1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_367_xss_fix_plugin.xml update, a related issue to CVE-2007-2909.

  • CVE-2007-1573Mar 21, 2007
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.

  • CVE-2007-1342Mar 8, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form.

  • CVE-2007-0869Feb 9, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field. NOTE: this might be a duplicate of CVE-2007-0830.5. NOTE: the…

  • CVE-2007-0830Feb 7, 2007
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors related to the (1) User Group Manager, (2) User Rank…

  • CVE-2006-4272Aug 21, 2006
    risk 0.00cvss epss 0.01

    Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled…