Vbulletin : Security Vulnerabilities, CVEs, (XSS)
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-09-16
Updated
2023-09-20
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
Max CVSS
4.8
EPSS Score
0.06%
Published
2020-09-03
Updated
2020-09-04
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
Max CVSS
6.1
EPSS Score
0.12%
Published
2017-08-28
Updated
2017-09-01
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi-importante/rst-power/67030-rst-admin-restore.
Max CVSS
4.3
EPSS Score
0.19%
Published
2014-04-30
Updated
2017-08-29
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
Max CVSS
3.5
EPSS Score
0.47%
Published
2014-10-25
Updated
2017-08-29
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.
Max CVSS
4.3
EPSS Score
0.22%
Published
2012-07-03
Updated
2017-08-29
Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject (aka newpm[title]).
Max CVSS
4.3
EPSS Score
0.44%
Published
2008-08-22
Updated
2017-08-08
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.
Max CVSS
4.3
EPSS Score
0.27%
Published
2008-07-15
Updated
2018-10-11
Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php).
Max CVSS
4.3
EPSS Score
0.49%
Published
2008-06-17
Updated
2018-10-11
18 vulnerabilities found