Filtered by vendor Vbulletin
Subscriptions
Filtered by product Vbulletin
Subscriptions
Total
50 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-25122 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | ||||
CVE-2020-25123 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | ||||
CVE-2020-25124 | 1 Vbulletin | 1 Vbulletin | 2020-09-04 | 4.8 Medium |
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | ||||
CVE-2017-17671 | 2 Microsoft, Vbulletin | 2 Windows, Vbulletin | 2020-08-14 | 9.8 Critical |
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file. | ||||
CVE-2019-17131 | 1 Vbulletin | 1 Vbulletin | 2019-10-11 | 4.3 Medium |
vBulletin before 5.5.4 allows clickjacking. | ||||
CVE-2019-17130 | 1 Vbulletin | 1 Vbulletin | 2019-10-10 | 6.5 Medium |
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | ||||
CVE-2019-17271 | 1 Vbulletin | 1 Vbulletin | 2019-10-09 | 4.9 Medium |
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | ||||
CVE-2018-15493 | 1 Vbulletin | 1 Vbulletin | 2018-11-30 | N/A |
vBulletin 5.4.3 has an Open Redirect. | ||||
CVE-2008-6256 | 1 Vbulletin | 1 Vbulletin | 2018-10-11 | N/A |
SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | ||||
CVE-2008-6255 | 1 Vbulletin | 1 Vbulletin | 2018-10-11 | N/A |
Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3) iperm parameter to admincp/image.php. | ||||
CVE-2008-3184 | 1 Vbulletin | 1 Vbulletin | 2018-10-11 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code. | ||||
CVE-2008-2744 | 1 Vbulletin | 1 Vbulletin | 2018-10-11 | N/A |
Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php). | ||||
CVE-2008-2460 | 1 Vbulletin | 1 Vbulletin | 2018-10-11 | N/A |
SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action. | ||||
CVE-2017-17672 | 1 Vbulletin | 1 Vbulletin | 2018-01-02 | N/A |
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates. | ||||
CVE-2014-9463 | 2 Vbseo, Vbulletin | 2 Vbseo, Vbulletin | 2017-09-29 | N/A |
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php. | ||||
CVE-2015-3419 | 1 Vbulletin | 1 Vbulletin | 2017-09-26 | N/A |
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure. | ||||
CVE-2014-9438 | 1 Vbulletin | 1 Vbulletin | 2017-09-08 | N/A |
Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors. | ||||
CVE-2014-8670 | 1 Vbulletin | 1 Vbulletin | 2017-09-08 | N/A |
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | ||||
CVE-2016-6483 | 1 Vbulletin | 1 Vbulletin | 2017-09-03 | N/A |
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code. | ||||
CVE-2014-9469 | 1 Vbulletin | 1 Vbulletin | 2017-09-01 | N/A |
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3. |