ReportizFlow
Filtered by vendor Vbulletin
Subscriptions
Total
54 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2014-9438 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors. | ||||
| CVE-2014-2022 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request. | ||||
| CVE-2014-8670 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | ||||
| CVE-2014-5102 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. | ||||
| CVE-2016-6483 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code. | ||||
| CVE-2014-2021 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name. | ||||
| CVE-2015-7808 | 1 Vbulletin | 1 Vbulletin | 2025-04-12 | N/A |
| The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments. | ||||
| CVE-2013-3522 | 1 Vbulletin | 1 Vbulletin | 2025-04-11 | N/A |
| SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter. | ||||
| CVE-2011-5251 | 1 Vbulletin | 1 Vbulletin | 2025-04-11 | N/A |
| Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action. | ||||
| CVE-2012-4328 | 1 Vbulletin | 4 Mapi, Vbulletin, Vbulletin Forum and 1 more | 2025-04-11 | N/A |
| Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. | ||||
| CVE-2012-3844 | 1 Vbulletin | 1 Vbulletin | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post. | ||||
| CVE-2010-1077 | 2 Vbseo, Vbulletin | 2 Vbseo, Vbulletin | 2025-04-11 | N/A |
| Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter. | ||||
| CVE-2012-4686 | 1 Vbulletin | 1 Vbulletin | 2025-04-11 | N/A |
| SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter. | ||||
| CVE-2013-6129 | 1 Vbulletin | 1 Vbulletin | 2025-04-11 | N/A |
| The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013. | ||||
| CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2025-03-26 | 9.8 Critical |
| vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | ||||
| CVE-2023-39777 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | ||||
| CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 9.8 Critical |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | ||||
| CVE-2020-25124 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | ||||
| CVE-2020-25123 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | ||||
| CVE-2020-25122 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | ||||