Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-1077 | 2 Vbseo, Vbulletin | 2 Vbseo, Vbulletin | 2025-04-11 | 6.8 MEDIUM | N/A |
| Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter. | |||||
| CVE-2012-4328 | 1 Vbulletin | 4 Mapi, Vbulletin, Vbulletin Forum and 1 more | 2025-04-11 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through 4.1.12, Forum 4.1.2 through 4.1.12, and the MAPI plugin 1.4.3 for vBulletin 3.x has unknown impact and attack vectors. | |||||
| CVE-2008-6255 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 6.5 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) answer parameter to admincp/verify.php, (2) extension parameter in an edit action to admincp/attachmentpermission.php, and the (3) iperm parameter to admincp/image.php. | |||||
| CVE-2008-2460 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action. | |||||
| CVE-2008-3773 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3, when "Show New Private Message Notification Pop-Up" is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a private message subject (aka newpm[title]). | |||||
| CVE-2008-2744 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php). | |||||
| CVE-2008-6256 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in admincp/admincalendar.php in vBulletin 3.7.3.pl1 allows remote authenticated administrators to execute arbitrary SQL commands via the holidayinfo[recurring] parameter, a different vector than CVE-2005-3022. | |||||
| CVE-2008-3184 | 1 Vbulletin | 1 Vbulletin | 2025-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code. | |||||
| CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2025-03-26 | N/A | 9.8 CRITICAL |
| vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | |||||
| CVE-2019-16759 | 1 Vbulletin | 1 Vbulletin | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | |||||
| CVE-2020-17496 | 1 Vbulletin | 1 Vbulletin | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | |||||
| CVE-2023-39777 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter. | |||||
| CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | |||||
| CVE-2020-25124 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | |||||
| CVE-2020-25123 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | |||||
| CVE-2020-25122 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. | |||||
| CVE-2020-25121 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | |||||
| CVE-2020-25120 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. | |||||
| CVE-2020-25119 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | |||||
| CVE-2020-25118 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager. | |||||