Filtered by vendor Vbulletin
Subscriptions
Total
51 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-39777 | 1 Vbulletin | 1 Vbulletin | 2023-09-20 | 5.4 Medium |
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | ||||
CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2023-02-13 | 9.8 Critical |
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | ||||
CVE-2020-17496 | 1 Vbulletin | 1 Vbulletin | 2022-10-26 | 9.8 Critical |
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | ||||
CVE-2017-7569 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037. | ||||
CVE-2018-6200 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter. | ||||
CVE-2012-4686 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter. | ||||
CVE-2011-5251 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. | ||||
CVE-2013-6129 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013. | ||||
CVE-2013-3522 | 1 Vbulletin | 1 Vbulletin | 2022-10-03 | N/A |
SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter. | ||||
CVE-2020-12720 | 1 Vbulletin | 1 Vbulletin | 2022-04-27 | 9.8 Critical |
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | ||||
CVE-2019-17132 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 9.8 Critical |
vBulletin through 5.5.4 mishandles custom avatars. | ||||
CVE-2019-16759 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 9.8 Critical |
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | ||||
CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 9.8 Critical |
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | ||||
CVE-2020-25121 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | ||||
CVE-2020-25115 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. | ||||
CVE-2020-25116 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. | ||||
CVE-2020-25117 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. | ||||
CVE-2020-25118 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager. | ||||
CVE-2020-25119 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | ||||
CVE-2020-25120 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. |