Shodan
Vulnerabilities
Vulnerable Software
Vbulletin:  >> Vbulletin  >> 3.8.9  Security Vulnerabilities
CVE-2023-39777
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-09-16
CVE-2019-17271
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVSS Score
4.9
EPSS Score
0.004
Published
2019-10-08
CVE-2019-17130
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-04
CVE-2019-17131
vBulletin before 5.5.4 allows clickjacking.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-10-04
CVE-2019-17132
vBulletin through 5.5.4 mishandles custom avatars.
CVSS Score
9.8
EPSS Score
0.307
Published
2019-10-04
CVE-2018-6200
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
CVSS Score
6.1
EPSS Score
0.056
Published
2018-01-25
CVE-2014-9463
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVSS Score
8.8
EPSS Score
0.139
Published
2017-09-15
CVE-2017-7569
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
CVSS Score
8.6
EPSS Score
0.006
Published
2017-04-06
CVE-2016-6483
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.
CVSS Score
8.6
EPSS Score
0.154
Published
2016-09-02
CVE-2014-2021
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
CVSS Score
3.5
EPSS Score
0.007
Published
2014-10-25


Products
Pricing
Contact Us

Shodan ® - All rights reserved