Vulnerabilities > Vbulletin

DATE CVE VULNERABILITY TITLE RISK
2020-09-03 CVE-2020-25117 Cross-site Scripting vulnerability in Vbulletin 5.6.3
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
network
vbulletin CWE-79
3.5
2020-09-03 CVE-2020-25116 Cross-site Scripting vulnerability in Vbulletin 5.6.3
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
network
vbulletin CWE-79
3.5
2020-09-03 CVE-2020-25115 Cross-site Scripting vulnerability in Vbulletin 5.6.3
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
network
vbulletin CWE-79
3.5
2020-08-12 CVE-2020-17496 Injection vulnerability in Vbulletin
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request.
network
low complexity
vbulletin CWE-74
critical
9.8
2020-05-08 CVE-2020-12720 Missing Authentication for Critical Function vulnerability in Vbulletin
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
network
low complexity
vbulletin CWE-306
7.5
2019-10-08 CVE-2019-17271 SQL Injection vulnerability in Vbulletin
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
network
low complexity
vbulletin CWE-89
4.0
2019-10-04 CVE-2019-17132 Improper Input Validation vulnerability in Vbulletin
vBulletin through 5.5.4 mishandles custom avatars.
network
vbulletin CWE-20
6.8
2019-10-04 CVE-2019-17131 Improper Restriction of Rendered UI Layers or Frames vulnerability in Vbulletin
vBulletin before 5.5.4 allows clickjacking.
4.3
2019-10-04 CVE-2019-17130 Files or Directories Accessible to External Parties vulnerability in Vbulletin
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
network
low complexity
vbulletin CWE-552
6.4
2019-09-24 CVE-2019-16759 Improper Input Validation vulnerability in Vbulletin
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
network
low complexity
vbulletin CWE-20
7.5