Filtered by vendor Vbulletin Subscriptions
Total 51 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-39777 1 Vbulletin 1 Vbulletin 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
CVE-2023-25135 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
CVE-2020-7373 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.
CVE-2020-25124 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI.
CVE-2020-25123 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager.
CVE-2020-25122 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager.
CVE-2020-25121 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options.
CVE-2020-25120 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI.
CVE-2020-25119 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual.
CVE-2020-25118 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager.
CVE-2020-25117 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager.
CVE-2020-25116 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager.
CVE-2020-25115 1 Vbulletin 1 Vbulletin 2024-11-21 4.8 Medium
The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager.
CVE-2020-17496 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
CVE-2020-12720 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
CVE-2019-17271 1 Vbulletin 1 Vbulletin 2024-11-21 4.9 Medium
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVE-2019-17132 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin through 5.5.4 mishandles custom avatars.
CVE-2019-17131 1 Vbulletin 1 Vbulletin 2024-11-21 4.3 Medium
vBulletin before 5.5.4 allows clickjacking.
CVE-2019-17130 1 Vbulletin 1 Vbulletin 2024-11-21 6.5 Medium
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVE-2019-16759 1 Vbulletin 1 Vbulletin 2024-11-21 9.8 Critical
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.