Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Vbulletin Subscribe
Filtered by product Vbulletin
Total 49 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-15493 1 Vbulletin 1 Vbulletin 2018-11-30 5.8 MEDIUM 6.1 MEDIUM
vBulletin 5.4.3 has an Open Redirect.
CVE-2008-6255 1 Vbulletin 1 Vbulletin 2018-10-11 6.5 MEDIUM N/A
Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3) iperm parameter to admincp/image.php.
CVE-2008-6256 1 Vbulletin 1 Vbulletin 2018-10-11 6.5 MEDIUM N/A
SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022.
CVE-2008-3184 1 Vbulletin 1 Vbulletin 2018-10-11 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.
CVE-2008-2744 1 Vbulletin 1 Vbulletin 2018-10-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php).
CVE-2008-2460 1 Vbulletin 1 Vbulletin 2018-10-11 7.5 HIGH N/A
SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.
CVE-2018-6200 1 Vbulletin 1 Vbulletin 2018-02-08 5.8 MEDIUM 6.1 MEDIUM
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
CVE-2017-17672 1 Vbulletin 1 Vbulletin 2018-01-02 7.5 HIGH 9.8 CRITICAL
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
CVE-2014-9463 2 Vbseo, Vbulletin 2 Vbseo, Vbulletin 2017-09-29 9.0 HIGH 8.8 HIGH
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVE-2015-3419 1 Vbulletin 1 Vbulletin 2017-09-26 4.0 MEDIUM 6.5 MEDIUM
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.
CVE-2014-9438 1 Vbulletin 1 Vbulletin 2017-09-07 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors.
CVE-2014-8670 1 Vbulletin 1 Vbulletin 2017-09-07 5.8 MEDIUM N/A
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
CVE-2016-6483 1 Vbulletin 1 Vbulletin 2017-09-02 5.0 MEDIUM 8.6 HIGH
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.
CVE-2014-9469 1 Vbulletin 1 Vbulletin 2017-09-01 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3.
CVE-2014-2021 1 Vbulletin 1 Vbulletin 2017-08-28 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
CVE-2014-3135 1 Vbulletin 1 Vbulletin 2017-08-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to privatemessage/new/, (2) the folderid parameter to a private message in privatemessage/view, (3) a fragment indicator to /help, or (4) the view parameter to a topic, as demonstrated by a request to forum/anunturi-importante/rst-power/67030-rst-admin-restore.
CVE-2012-3844 1 Vbulletin 1 Vbulletin 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.
CVE-2012-4328 1 Vbulletin 4 Mapi, Vbulletin, Vbulletin Forum and 1 more 2017-08-28 10.0 HIGH N/A
Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors.
CVE-2016-6195 1 Vbulletin 1 Vbulletin 2017-08-20 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.
CVE-2010-1077 2 Vbseo, Vbulletin 2 Vbseo, Vbulletin 2017-08-16 6.8 MEDIUM N/A
Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter.