cbcvebase.

Jelsoft Vbulletin vulnerabilities

51 known vulnerabilities affecting jelsoft/vbulletin.

Total CVEs
51
CISA KEV
0
Public exploits
22
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM32LOW4

Vulnerabilities

Page 2 of 3
CVE-2004-2288P4MEDIUMCVSS 4.3PoCv1.0.1v2.0.3+23 more2004-12-31
CVE-2004-2288 [MEDIUM] CVE-2004-2288: Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers t Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter.
nvd
CVE-2006-4271P3HIGHCVSS 7.5v3.5.42006-08-21
CVE-2006-4271 [HIGH] CVE-2006-4271: PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the step parameter. NOTE: the vendor has disputed this vulnerability, saying "The default vBulletin requires authentication prior to the usage of the upgrade system.
nvd
CVE-2007-2911P4HIGHCVSS 8.5≤ 3.6.52007-05-30
CVE-2007-2911 [HIGH] CVE-2007-2911: SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remot SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573.
nvd
CVE-2005-3024P4HIGHCVSS 7.5v1.0.1v2.0.3+31 more2005-09-21
CVE-2005-3024 [HIGH] CVE-2005-3024: Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to exec Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) announcement parameter to announcement.php, the (2) thread[forumid] or (3) criteria parameters to thread.php, (4) userid parameter to user.php, the (5) calendarcustomfieldid, (6) calendarid, (7) moderatorid, (8) holidayid, (
nvd
CVE-2007-4120P4CRITICALCVSS 9.3v3.6.52007-08-01
CVE-2007-4120 [CRITICAL] CVE-2007-4120: Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3) specialtemplates parameter to includes/functions_forumdisplay.php. NOTE: this issue is di
nvd
CVE-2005-3022P4HIGHCVSS 7.5v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3022 [HIGH] CVE-2005-3022: Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to exec Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) announcement parameter to announcement.php, (2) userid parameter to user.php, (3) calendar parameter to admincalendar.php, (4) cronid parameter to cronlog.php, (5) usergroupid parameter to email.php, (6) help parameter to he
nvd
CVE-2006-3253P4LOWCVSS 2.6PoCv3.5.0v3.5.0_beta_1+9 more2006-06-28
CVE-2006-3253 [LOW] CVE-2006-3253: Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script or HTML via the u parameter. NOTE: the vendor has disputed this report, stating that they have been unable to replicate the issue and that "the userid parameter is run through our filtering system as an unsigned integer.
nvd
CVE-2006-2018P4HIGHCVSS 7.5v3.0v3.0.0+11 more2006-04-25
CVE-2006-2018 [HIGH] CVE-2006-2018: SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute ar SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4.
nvd
CVE-2001-0475P4HIGHCVSS 7.5≤ 1.1.5≤ 2.0_beta_22001-06-27
CVE-2001-0475 [HIGH] CVE-2001-0475: index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store tem index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allows remote attackers to execute arbitrary PHP code via special characters in the templatecache parameter.
nvd
CVE-2004-2695P4HIGHCVSS 7.5v3.0v3.0.1+9 more2004-12-31
CVE-2004-2695 [HIGH] CWE-89 CVE-2004-2695: SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jels SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter. NOTE: this issue might be related to CVE-2006-4267.
nvd
CVE-2006-4272P4HIGHCVSS 7.5v3.5.42006-08-21
CVE-2006-4272 [HIGH] CVE-2006-4272: Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a den Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled then the registrations wont even go through. ... if you are talking about the flood be
nvd
CVE-2006-2335P4MEDIUMCVSS 6.5v3.5.82006-05-12
CVE-2006-2335 [MEDIUM] CVE-2006-2335: Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that a Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x.
nvd
CVE-2007-1573P4MEDIUMCVSS 6.0≤ 3.6.5v3.6.42007-03-21
CVE-2007-1573 [MEDIUM] CWE-89 CVE-2007-1573: SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authe SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.
nvd
CVE-2006-1816P4MEDIUMCVSS 5.0v3.5.1v3.5.2+1 more2006-04-18
CVE-2006-1816 [MEDIUM] CVE-2006-1816: PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php.
nvd
CVE-2004-0036P4MEDIUMCVSS 5.0v2.3.02004-01-20
CVE-2004-0036 [MEDIUM] CVE-2004-0036: SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote att SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter.
nvd
CVE-2007-2912P4MEDIUMCVSS 5.0≤ 3.6.42007-05-30
CVE-2007-2912 [MEDIUM] CVE-2007-2912: Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Pe Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user.
nvd
CVE-2007-3326P4MEDIUMCVSS 5.8v3.0.02007-06-21
CVE-2007-3326 [MEDIUM] CVE-2007-3326: Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect v Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php, enabling cross-site scripting (XSS) and other attacks, a different vulnerability than
nvd
CVE-2005-3021P4LOWCVSS 2.1v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3021 [LOW] CVE-2005-3021: image.php in vBulletin 3.0.9 and earlier allows remote attackers with access to the administrator pa image.php in vBulletin 3.0.9 and earlier allows remote attackers with access to the administrator panel to upload arbitrary files via the upload action.
nvd
CVE-2006-0080P4MEDIUMCVSS 4.3v3.5.22006-01-04
CVE-2006-0080 [MEDIUM] CVE-2006-0080: Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows r Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php.
nvd
CVE-2005-3023P4MEDIUMCVSS 4.3v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3023 [MEDIUM] CVE-2005-3023: Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 and earlier allow remote atta Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) announcement.php, (2) admincalendar.php, (3) bbcode.php, (4) cronadmin.php, (5) email.php, (6) faq.php, (7) forum.php, (8) image.php, (9) language.php, (10) ranks.php, (11) replacement.ph
nvd
Jelsoft Vbulletin vulnerabilities | cvebase