|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
|
Description |
vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "email" field upon submission to the "editpassword" function in the "profile.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
|
|
Technical |
This vulnerability is only present when the "Enable Email features" and "Allow Users to Email Other Member" are enabled in the configuration.
|
|
Solution |
vBulletin 3.5.0 Beta 1 to 3.5.3:
Upgrade to version vBulletin 3.5.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
vBulletin 3.0.0 Beta 3 to 3.0.12:
Upgrade to version vBulletin 3.0.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
|
|
Products |
|
vBulletin
 |
3.0.1 |
3.0.3 |
3.0.5 |
3.0.4 |
3.0.2 |
3.0.0 |
3.0.8 |
3.5.1 |
3.5.0 |
3.5.2 |
3.5.3 |
3.0.0 Beta 3 |
3.0.6 |
3.0.7 |
3.0.9 |
3.0.10 |
3.0.11 |
3.0.12 |
3.5.0 Beta 1 |
|
|
|
|
|
|
|
Credit |
- imei addmimistrator - addmimistrator
 gmail.com - http://myimei.com/security
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
