Vulnerabilities > Vbulletin > Vbulletin > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-30 | CVE-2020-7373 | Command Injection vulnerability in Vbulletin vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. | 7.5 |
2020-05-08 | CVE-2020-12720 | Missing Authentication for Critical Function vulnerability in Vbulletin vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | 7.5 |
2019-09-24 | CVE-2019-16759 | Improper Input Validation vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 7.5 |
2017-12-14 | CVE-2017-17672 | Deserialization of Untrusted Data vulnerability in Vbulletin In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. | 7.5 |
2017-12-14 | CVE-2017-17671 | Path Traversal vulnerability in Vbulletin vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. | 7.5 |
2016-08-30 | CVE-2016-6195 | SQL Injection vulnerability in Vbulletin 4.2.2/4.2.3 SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016. | 7.5 |
2015-11-24 | CVE-2015-7808 | Improper Input Validation vulnerability in Vbulletin The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments. | 7.5 |
2014-10-15 | CVE-2014-2022 | SQL Injection vulnerability in Vbulletin SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request. | 7.1 |
2014-07-25 | CVE-2014-5102 | SQL Injection vulnerability in Vbulletin SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. | 7.5 |
2013-10-19 | CVE-2013-6129 | Permissions, Privileges, and Access Controls vulnerability in Vbulletin 4.1/5.0.0 The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013. | 7.5 |