[CLOSE] OSVDB ID : 52279 - Disclosed: 2008-11-17

Description:

vBulletin contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admincp/image.php' script not properly sanitizing user-supplied input to the 'iperm' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 34945 - Disclosed: 2007-03-02

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form.

[CLOSE] OSVDB ID : 38612 - Disclosed: 2007-06-20

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php, enabling cross-site scripting (XSS) and other attacks, a different vulnerability than CVE-2005-3025.2.

[CLOSE] OSVDB ID : 30512 - Disclosed: 2006-11-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.php in Jelsoft vBulletin 3.6.x allow remote attackers to inject arbitrary web script or HTML via (1) the prefs parameter in a buildnavprefs action or (2) the navprefs parameter in a savenavprefs action.

[CLOSE] OSVDB ID : 5567 - Disclosed: 2004-03-15

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "vb_login_username" variable upon submission to the "admincp/index.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 49920 - Disclosed: 2008-11-17

Description:

vBulletin contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admincp/verify.php' script not properly sanitizing user-supplied input to the 'answer' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 80962 - Disclosed: 2012-04-04

Description:

vBulletin contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the announcement.php script not properly sanitizing user-supplied input to the 'announcementid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 27778 - Disclosed: 2006-08-03

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to the unspecified script. This could allow a user to upload an attachment with a .pdf extension that contains script code, that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 33129 - Disclosed: 2007-02-06

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field. NOTE: this might be a duplicate of CVE-2007-0830.5. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 9993 - Disclosed: 2004-09-15

Description:

Jelsoft Enterprises Limited vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the x_invoice_num parameter in the subscriptions/authorize.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 21373 - Disclosed: 2005-11-26

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the remote avatar URL upon submission to the profile.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 19090 - Disclosed: 2005-08-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 64433 - Disclosed: 2010-04-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 13150 - Disclosed: 2005-01-15

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate nested style variables when processing BBTags. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 82836 - Disclosed: 2012-04-30

Description:

vBulletin contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the blog.php script not properly sanitizing user-supplied input to the 'p' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 22210 - Disclosed: 2006-01-01

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'title' variable upon submission to the 'calendar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 3299 - Disclosed: 2002-09-24

Description:

vBulletin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'calendar.php' script not properly sanitizing user input supplied to the 'comma' variable. By sending a specially crafted request containing shell metacharacters, a remote attacker could execute arbitrary commands resulting in a loss of integrity.

[CLOSE] OSVDB ID : 3344 - Disclosed: 2004-01-05

Description:

vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "eventid" parameter is not verified properly in "calendar.php" which can be exploited to manipulate or inject SQL queries.

[CLOSE] OSVDB ID : 35155 - Disclosed: 2007-05-16

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbitrary web script or HTML via the title field in a single add action.

[CLOSE] OSVDB ID : 62505 - Disclosed: 2010-02-20

Description:

vBulletin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URI upon submission to the 'calendar.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81051 - Disclosed: 2012-03-27

Description:

vBulletin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the clientscript/ckeditor/ckeditor.js script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81050 - Disclosed: 2012-03-27

Description:

vBulletin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the clientscript/ckeplugins/bbcode/plugin.js script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 63254 - Disclosed: 2010-03-24

Description:

vBulletin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the unspecified input upon submission to the CMS article editor. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 63252 - Disclosed: 2010-03-24

Description:

vBulletin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the unspecified input to the content type search widget. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 35158 - Disclosed: 2006-05-06

Description:

(Description Provided by CVE) : Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x. NOTE: this issue might be due to direct static code injection.

[CLOSE] OSVDB ID : 66505 - Disclosed: 2010-07-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 46937 - Disclosed: 2008-07-08

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.

[CLOSE] OSVDB ID : 23614 - Disclosed: 2006-03-02

Description:

vBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "email" field upon submission to the "editpassword" function in the "profile.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 45736 - Disclosed: 2008-05-20

Description:

(Description Provided by CVE) : SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.

[CLOSE] OSVDB ID : 62504 - Disclosed: 2010-02-20

Description:

vBulletin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URI upon submission to the 'faq.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.