Vulnerabilities > Vbulletin > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-16 | CVE-2023-39777 | Cross-site Scripting vulnerability in Vbulletin A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | 5.4 |
| 2019-10-08 | CVE-2019-17271 | SQL Injection vulnerability in Vbulletin vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | 4.0 |
| 2019-10-04 | CVE-2019-17132 | Improper Input Validation vulnerability in Vbulletin vBulletin through 5.5.4 mishandles custom avatars. | 6.8 |
| 2019-10-04 | CVE-2019-17131 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Vbulletin vBulletin before 5.5.4 allows clickjacking. | 4.3 |
| 2019-10-04 | CVE-2019-17130 | Files or Directories Accessible to External Parties vulnerability in Vbulletin vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | 6.4 |
| 2018-10-17 | CVE-2018-15493 | Open Redirect vulnerability in Vbulletin 5.4.3 vBulletin 5.4.3 has an Open Redirect. | 5.8 |
| 2018-01-25 | CVE-2018-6200 | Open Redirect vulnerability in Vbulletin vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter. | 5.8 |
| 2017-09-19 | CVE-2015-3419 | Improper Input Validation vulnerability in Vbulletin vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure. | 4.0 |
| 2017-08-28 | CVE-2014-9469 | Cross-site Scripting vulnerability in Vbulletin Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3. | 4.3 |
| 2017-04-06 | CVE-2017-7569 | Server-Side Request Forgery (SSRF) vulnerability in Vbulletin In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037. | 5.0 |