Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-6040 — Cross-site Scripting in Vbulletin

CWE-79 — Cross-site Scripting5 documents3 sources

Severity

6.8MEDIUMNVD

NVD3.5

EPSS

1.0%

top 22.93%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jelsoft Vbulletin

Timeline

PublishedNov 22

Latest updateMay 1

Description

Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.php in Jelsoft vBulletin 3.6.x allow remote attackers to inject arbitrary web script or HTML via (1) the prefs parameter in a buildnavprefs action or (2) the navprefs parameter in a savenavprefs action.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDjelsoft/vbulletin5 versions+4

Patches

Patch: secunia.com ↗Patch: www.securityfocus.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-ppmj-f697-j88m: ** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3↗2022-05-01

▶

GHSA

GHSA-6cp2-ffpr-7c6w: Multiple cross-site scripting (XSS) vulnerabilities in admincp/index↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

vBulletin 3.6.x - Admin Control Panel Multiple Cross-Site Scripting Vulnerabilities↗2006-11-17

▶