Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2002-2235 — Cross-site Scripting in Vbulletin

CWE-1893 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 32.15%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jelsoft Vbulletin

Timeline

PublishedDec 31

Latest updateApr 30

Description

member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDjelsoft/vbulletin14 versions+13

🔴Vulnerability Details

GHSA

GHSA-46fc-9xfj-r45q: member2↗2022-04-30

▶

💥Exploits & PoCs

Exploit-DB

vBulletin 2.0.x/2.2.x - 'members2.php' Cross-Site Scripting↗2002-11-25

▶