Vbulletin: >> Vbulletin >> 3.6 Security Vulnerabilities
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-09-16
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVSS Score
4.9
EPSS Score
0.004
Published
2019-10-08
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-04
vBulletin before 5.5.4 allows clickjacking.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-10-04
vBulletin through 5.5.4 mishandles custom avatars.
CVSS Score
9.8
EPSS Score
0.307
Published
2019-10-04
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
CVSS Score
6.1
EPSS Score
0.056
Published
2018-01-25
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVSS Score
8.8
EPSS Score
0.139
Published
2017-09-15
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-08-28
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
CVSS Score
8.6
EPSS Score
0.006
Published
2017-04-06
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
CVSS Score
3.5
EPSS Score
0.007
Published
2014-10-25
Page 1