Vulnerabilities > Vbulletin > Vbulletin > 5.2.6
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-16 | CVE-2023-39777 | Cross-site Scripting vulnerability in Vbulletin A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | 5.4 |
| 2020-05-08 | CVE-2020-12720 | Missing Authentication for Critical Function vulnerability in Vbulletin vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | 7.5 |
| 2019-10-08 | CVE-2019-17271 | SQL Injection vulnerability in Vbulletin vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | 4.0 |
| 2019-10-04 | CVE-2019-17132 | Improper Input Validation vulnerability in Vbulletin vBulletin through 5.5.4 mishandles custom avatars. | 6.8 |
| 2019-10-04 | CVE-2019-17131 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Vbulletin vBulletin before 5.5.4 allows clickjacking. | 4.3 |
| 2019-10-04 | CVE-2019-17130 | Files or Directories Accessible to External Parties vulnerability in Vbulletin vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories. | 6.4 |
| 2019-09-24 | CVE-2019-16759 | Improper Input Validation vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 7.5 |
| 2017-12-14 | CVE-2017-17672 | Deserialization of Untrusted Data vulnerability in Vbulletin In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. | 7.5 |
| 2017-12-14 | CVE-2017-17671 | Path Traversal vulnerability in Vbulletin vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. | 7.5 |
| 2017-04-06 | CVE-2017-7569 | Server-Side Request Forgery (SSRF) vulnerability in Vbulletin In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037. | 5.0 |