Vendor CVEs
Jelsoft
All CVEs
118 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-2288 | 0.03 | — | 0.01 | Dec 31, 2004 | Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter. | |||
| CVE-2004-1515 | 0.03 | — | 0.01 | Dec 31, 2004 | SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php. | |||
| CVE-2004-0620 | 0.03 | — | 0.04 | Dec 6, 2004 | Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel. | |||
| CVE-2003-1031 | 0.03 | — | 0.01 | Feb 17, 2004 | Cross-site scripting (XSS) vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as (1) "Interests-Hobbies", (2) "Biography", or (3) "Occupation." | |||
| CVE-2003-0295 | 0.03 | — | 0.02 | Jun 16, 2003 | Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web script and HTML via the "Preview Message" capability. | |||
| CVE-2002-1922 | 0.03 | — | 0.04 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in global.php in Jelsoft vBulletin 2.0.0 through 2.2.8 allows remote attackers to inject arbitrary web script or HTML via the (1) $scriptpath or (2) $url variables. | |||
| CVE-2002-2235 | 0.03 | — | 0.02 | Dec 31, 2002 | member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks. | |||
| CVE-2025-46171 | 0.00 | — | 0.00 | Jul 23, 2025 | vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum. | |||
| CVE-2023-39777 | 0.00 | — | 0.00 | Sep 16, 2023 | A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | |||
| CVE-2014-125086 | 0.00 | — | 0.01 | Feb 6, 2023 | A vulnerability has been found in Gimmie Plugin 1.2.2 on vBulletin and classified as critical. Affected by this vulnerability is an unknown functionality of the file trigger_login.php. The manipulation of the argument userid leads to sql injection. Upgrading to version 1.3.0 is… | |||
| CVE-2014-125085 | 0.00 | — | 0.01 | Feb 5, 2023 | A vulnerability, which was classified as critical, was found in Gimmie Plugin 1.2.2 on vBulletin. Affected is an unknown function of the file trigger_ratethread.php. The manipulation of the argument t/postusername leads to sql injection. Upgrading to version 1.3.0 is able to… | |||
| CVE-2014-125084 | 0.00 | — | 0.01 | Feb 5, 2023 | A vulnerability, which was classified as critical, has been found in Gimmie Plugin 1.2.2 on vBulletin. This issue affects some unknown processing of the file trigger_referral.php. The manipulation of the argument referrername leads to sql injection. Upgrading to version 1.3.0 is… | |||
| CVE-2020-25115 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. | |||
| CVE-2020-25116 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. | |||
| CVE-2020-25117 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. | |||
| CVE-2020-25119 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | |||
| CVE-2020-25120 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. | |||
| CVE-2020-25121 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | |||
| CVE-2020-25122 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | |||
| CVE-2020-25123 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | |||
| CVE-2020-25124 | 0.00 | — | 0.01 | Sep 3, 2020 | The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | |||
| CVE-2019-17271 | 0.00 | — | 0.01 | Oct 8, 2019 | vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | |||
| CVE-2019-17131 | 0.00 | — | 0.01 | Oct 4, 2019 | vBulletin before 5.5.4 allows clickjacking. | |||
| CVE-2019-17130 | 0.00 | — | 0.01 | Oct 4, 2019 | vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | |||
| CVE-2018-15493 | 0.00 | — | 0.01 | Oct 17, 2018 | vBulletin 5.4.3 has an Open Redirect. | |||
| CVE-2014-9438 | 0.00 | — | 0.01 | Jan 2, 2015 | Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2)… | |||
| CVE-2014-8670 | 0.00 | — | 0.02 | Nov 6, 2014 | Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | |||
| CVE-2014-5102 | 0.00 | — | 0.01 | Jul 25, 2014 | SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. | |||
| CVE-2014-3135 | 0.00 | — | 0.02 | Apr 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment… | |||
| CVE-2011-5251 | 0.00 | — | 0.02 | Dec 31, 2012 | Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. | |||
| CVE-2012-4328 | 0.00 | — | 0.02 | Aug 14, 2012 | Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. | |||
| CVE-2012-3844 | 0.00 | — | 0.01 | Jul 3, 2012 | Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post. | |||
| CVE-2008-6754 | 0.00 | — | 0.01 | Apr 27, 2009 | The Personal Sticky Threads addon 1.0.3c for vBulletin allows remote authenticated users to read the title, author, and pages of an arbitrary thread by toggling a personal sticky. | |||
| CVE-2008-6256 | 0.00 | — | 0.01 | Feb 24, 2009 | SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | |||
| CVE-2008-6255 | 0.00 | — | 0.01 | Feb 24, 2009 | Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3)… | |||
| CVE-2008-2460 | 0.00 | — | 0.01 | May 27, 2008 | SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action. | |||
| CVE-2007-4959 | 0.00 | — | 0.01 | Sep 18, 2007 | Cross-site scripting (XSS) vulnerability in catalog_products_with_images.php in osCMax 2.0.0-RC3-0-1 allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2007-4453 | 0.00 | — | 0.01 | Aug 21, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php,… | |||
| CVE-2007-4120 | 0.00 | — | 0.02 | Aug 1, 2007 | Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3)… | |||
| CVE-2007-3326 | 0.00 | — | 0.01 | Jun 21, 2007 | Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php,… | |||
| CVE-2007-3197 | 0.00 | — | 0.01 | Jun 12, 2007 | SQL injection vulnerability in vBSupport.php in vBSupport 1.1 before 1.1a allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2007-2911 | 0.00 | — | 0.01 | May 30, 2007 | SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573. | |||
| CVE-2007-2909 | 0.00 | — | 0.01 | May 30, 2007 | Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update. | |||
| CVE-2007-2912 | 0.00 | — | 0.01 | May 30, 2007 | Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user. | |||
| CVE-2007-2910 | 0.00 | — | 0.01 | May 30, 2007 | Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.6.7 PL1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_367_xss_fix_plugin.xml update, a related issue to CVE-2007-2909. | |||
| CVE-2007-1573 | 0.00 | — | 0.01 | Mar 21, 2007 | SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field. | |||
| CVE-2007-1342 | 0.00 | — | 0.01 | Mar 8, 2007 | Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form. | |||
| CVE-2007-0869 | 0.00 | — | 0.01 | Feb 9, 2007 | Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field. NOTE: this might be a duplicate of CVE-2007-0830.5. NOTE: the… | |||
| CVE-2007-0830 | 0.00 | — | 0.01 | Feb 7, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors related to the (1) User Group Manager, (2) User Rank… | |||
| CVE-2006-4272 | 0.00 | — | 0.01 | Aug 21, 2006 | Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled… |
- CVE-2004-2288Dec 31, 2004risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter.
- CVE-2004-1515Dec 31, 2004risk 0.03cvss —epss 0.01
SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php.
- CVE-2004-0620Dec 6, 2004risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel.
- CVE-2003-1031Feb 17, 2004risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as (1) "Interests-Hobbies", (2) "Biography", or (3) "Occupation."
- CVE-2003-0295Jun 16, 2003risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web script and HTML via the "Preview Message" capability.
- CVE-2002-1922Dec 31, 2002risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in global.php in Jelsoft vBulletin 2.0.0 through 2.2.8 allows remote attackers to inject arbitrary web script or HTML via the (1) $scriptpath or (2) $url variables.
- CVE-2002-2235Dec 31, 2002risk 0.03cvss —epss 0.02
member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks.
- CVE-2025-46171Jul 23, 2025risk 0.00cvss —epss 0.00
vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.
- CVE-2023-39777Sep 16, 2023risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
- CVE-2014-125086Feb 6, 2023risk 0.00cvss —epss 0.01
A vulnerability has been found in Gimmie Plugin 1.2.2 on vBulletin and classified as critical. Affected by this vulnerability is an unknown functionality of the file trigger_login.php. The manipulation of the argument userid leads to sql injection. Upgrading to version 1.3.0 is…
- CVE-2014-125085Feb 5, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, was found in Gimmie Plugin 1.2.2 on vBulletin. Affected is an unknown function of the file trigger_ratethread.php. The manipulation of the argument t/postusername leads to sql injection. Upgrading to version 1.3.0 is able to…
- CVE-2014-125084Feb 5, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, has been found in Gimmie Plugin 1.2.2 on vBulletin. This issue affects some unknown processing of the file trigger_referral.php. The manipulation of the argument referrername leads to sql injection. Upgrading to version 1.3.0 is…
- CVE-2020-25115Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
- CVE-2020-25116Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
- CVE-2020-25117Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
- CVE-2020-25119Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
- CVE-2020-25120Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
- CVE-2020-25121Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
- CVE-2020-25122Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
- CVE-2020-25123Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
- CVE-2020-25124Sep 3, 2020risk 0.00cvss —epss 0.01
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
- CVE-2019-17271Oct 8, 2019risk 0.00cvss —epss 0.01
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
- CVE-2019-17131Oct 4, 2019risk 0.00cvss —epss 0.01
vBulletin before 5.5.4 allows clickjacking.
- CVE-2019-17130Oct 4, 2019risk 0.00cvss —epss 0.01
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
- CVE-2018-15493Oct 17, 2018risk 0.00cvss —epss 0.01
vBulletin 5.4.3 has an Open Redirect.
- CVE-2014-9438Jan 2, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2)…
- CVE-2014-8670Nov 6, 2014risk 0.00cvss —epss 0.02
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
- CVE-2014-5102Jul 25, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.
- CVE-2014-3135Apr 30, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment…
- CVE-2011-5251Dec 31, 2012risk 0.00cvss —epss 0.02
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action.
- CVE-2012-4328Aug 14, 2012risk 0.00cvss —epss 0.02
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors.
- CVE-2012-3844Jul 3, 2012risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.
- CVE-2008-6754Apr 27, 2009risk 0.00cvss —epss 0.01
The Personal Sticky Threads addon 1.0.3c for vBulletin allows remote authenticated users to read the title, author, and pages of an arbitrary thread by toggling a personal sticky.
- CVE-2008-6256Feb 24, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022.
- CVE-2008-6255Feb 24, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3)…
- CVE-2008-2460May 27, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.
- CVE-2007-4959Sep 18, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in catalog_products_with_images.php in osCMax 2.0.0-RC3-0-1 allows remote attackers to inject arbitrary web script or HTML via the URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2007-4453Aug 21, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.8 allow remote attackers to inject arbitrary web code or HTML via the (1) s parameter to index.php, and the (2) q parameter to (a) faq.php, (b) member.php, (c) memberlist.php, (d) calendar.php, (e) search.php,…
- CVE-2007-4120Aug 1, 2007risk 0.00cvss —epss 0.02
Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3)…
- CVE-2007-3326Jun 21, 2007risk 0.00cvss —epss 0.01
Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php,…
- CVE-2007-3197Jun 12, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in vBSupport.php in vBSupport 1.1 before 1.1a allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2007-2911May 30, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573.
- CVE-2007-2909May 30, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update.
- CVE-2007-2912May 30, 2007risk 0.00cvss —epss 0.01
Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user.
- CVE-2007-2910May 30, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.6.7 PL1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_367_xss_fix_plugin.xml update, a related issue to CVE-2007-2909.
- CVE-2007-1573Mar 21, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.
- CVE-2007-1342Mar 8, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form.
- CVE-2007-0869Feb 9, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field. NOTE: this might be a duplicate of CVE-2007-0830.5. NOTE: the…
- CVE-2007-0830Feb 7, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors related to the (1) User Group Manager, (2) User Rank…
- CVE-2006-4272Aug 21, 2006risk 0.00cvss —epss 0.01
Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled…
Page 2 of 3