Vbulletin: Security Vulnerabilities
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
CVSS Score
4.8
EPSS Score
0.003
Published
2020-09-03
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-09-03
CVE-2020-17496
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
Known exploited
CVSS Score
9.8
EPSS Score
0.94
Published
2020-08-12
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
CVSS Score
9.8
EPSS Score
0.938
Published
2020-05-08
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVSS Score
4.9
EPSS Score
0.004
Published
2019-10-08
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-04
vBulletin before 5.5.4 allows clickjacking.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-10-04