Vulnerabilities > Vbulletin > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2016-09-02 | CVE-2016-6483 | Server-Side Request Forgery (SSRF) vulnerability in Vbulletin The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code. | 5.0 |
2015-01-02 | CVE-2014-9438 | Cross-Site Request Forgery (CSRF) vulnerability in Vbulletin 4.2.2 Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors. | 6.8 |
2014-11-06 | CVE-2014-8670 | Unspecified vulnerability in Vbulletin 4.2.1 Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. network vbulletin | 5.8 |
2014-04-30 | CVE-2014-3135 | Cross-Site Scripting vulnerability in Vbulletin 5.1.1 Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi-importante/rst-power/67030-rst-admin-restore. | 4.3 |
2013-05-10 | CVE-2013-3522 | SQL Injection vulnerability in Vbulletin 5.0.0 SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter. | 6.5 |
2012-12-31 | CVE-2011-5251 | Improper Input Validation vulnerability in Vbulletin Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. | 5.8 |
2012-07-03 | CVE-2012-3844 | Cross-Site Scripting vulnerability in Vbulletin 4.1.12 Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post. | 4.3 |
2010-03-23 | CVE-2010-1077 | Path Traversal vulnerability in Vbseo 3.1.0 Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter. | 6.8 |
2009-02-24 | CVE-2008-6256 | SQL Injection vulnerability in Vbulletin 3.7.3 SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | 6.5 |
2009-02-24 | CVE-2008-6255 | SQL Injection vulnerability in Vbulletin 3.7.4 Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3) iperm parameter to admincp/image.php. | 6.5 |