Shodan
Vulnerabilities
Vulnerable Software
Vbulletin:  Security Vulnerabilities
CVE-2019-17132
vBulletin through 5.5.4 mishandles custom avatars.
CVSS Score
9.8
EPSS Score
0.252
Published
2019-10-04
CVE-2019-16759
Known exploited
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
CVSS Score
9.8
EPSS Score
0.944
Published
2019-09-24
CVE-2018-15493
vBulletin 5.4.3 has an Open Redirect.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-17
CVE-2018-6200
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
CVSS Score
6.1
EPSS Score
0.188
Published
2018-01-25
CVE-2017-17671
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file.
CVSS Score
9.8
EPSS Score
0.013
Published
2017-12-14
CVE-2017-17672
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
CVSS Score
9.8
EPSS Score
0.108
Published
2017-12-14
CVE-2015-3419
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.
CVSS Score
6.5
EPSS Score
0.002
Published
2017-09-19
CVE-2014-9463
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVSS Score
8.8
EPSS Score
0.139
Published
2017-09-15
CVE-2014-9469
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-08-28
CVE-2017-7569
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
CVSS Score
8.6
EPSS Score
0.006
Published
2017-04-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved