Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Vbulletin
(Vbulletin)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 47 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-09-16 | CVE-2023-39777 | A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | Vbulletin | 5.4 | ||
| 2023-02-03 | CVE-2023-25135 | vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | Vbulletin | 9.8 | ||
| 2020-08-12 | CVE-2020-17496 | vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | Vbulletin | 9.8 | ||
| 2020-05-08 | CVE-2020-12720 | vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | Vbulletin | 9.8 | ||
| 2019-09-24 | CVE-2019-16759 | vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | Vbulletin | 9.8 | ||
| 2019-10-04 | CVE-2019-17132 | vBulletin through 5.5.4 mishandles custom avatars. | Vbulletin | 9.8 | ||
| 2020-10-30 | CVE-2020-7373 | vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | Vbulletin | 9.8 | ||
| 2020-09-03 | CVE-2020-25124 | The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | Vbulletin | N/A | ||
| 2020-09-03 | CVE-2020-25123 | The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | Vbulletin | N/A | ||
| 2020-09-03 | CVE-2020-25122 | The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | Vbulletin | N/A |