Jelsoft Vbulletin vulnerabilities
51 known vulnerabilities affecting jelsoft/vbulletin.
Total CVEs
51
CISA KEV
0
Public exploits
22
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM32LOW4
Vulnerabilities
Page 2 of 3
CVE-2004-2288P4MEDIUMCVSS 4.3PoCv1.0.1v2.0.3+23 more2004-12-31
CVE-2004-2288 [MEDIUM] CVE-2004-2288: Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers t
Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBulletin allows remote attackers to spoof parts of a website via the loc parameter.
nvd
CVE-2006-4271P3HIGHCVSS 7.5v3.5.42006-08-21
CVE-2006-4271 [HIGH] CVE-2006-4271: PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows
PHP remote file inclusion vulnerability in install/upgrade_301.php in Jelsoft vBulletin 3.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the step parameter. NOTE: the vendor has disputed this vulnerability, saying "The default vBulletin requires authentication prior to the usage of the upgrade system.
nvd
CVE-2007-2911P4HIGHCVSS 8.5≤ 3.6.52007-05-30
CVE-2007-2911 [HIGH] CVE-2007-2911: SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remot
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573.
nvd
CVE-2005-3024P4HIGHCVSS 7.5v1.0.1v2.0.3+31 more2005-09-21
CVE-2005-3024 [HIGH] CVE-2005-3024: Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to exec
Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) announcement parameter to announcement.php, the (2) thread[forumid] or (3) criteria parameters to thread.php, (4) userid parameter to user.php, the (5) calendarcustomfieldid, (6) calendarid, (7) moderatorid, (8) holidayid, (
nvd
CVE-2007-4120P4CRITICALCVSS 9.3v3.6.52007-08-01
CVE-2007-4120 [CRITICAL] CVE-2007-4120: Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers
Multiple PHP remote file inclusion vulnerabilities in Jelsoft vBulletin 3.6.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) classfile parameter to includes/functions.php, the (2) nextitem parameter to includes/functions_cron.php, and the (3) specialtemplates parameter to includes/functions_forumdisplay.php. NOTE: this issue is di
nvd
CVE-2005-3022P4HIGHCVSS 7.5v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3022 [HIGH] CVE-2005-3022: Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to exec
Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) announcement parameter to announcement.php, (2) userid parameter to user.php, (3) calendar parameter to admincalendar.php, (4) cronid parameter to cronlog.php, (5) usergroupid parameter to email.php, (6) help parameter to he
nvd
CVE-2006-3253P4LOWCVSS 2.6PoCv3.5.0v3.5.0_beta_1+9 more2006-06-28
CVE-2006-3253 [LOW] CVE-2006-3253: Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to
Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script or HTML via the u parameter. NOTE: the vendor has disputed this report, stating that they have been unable to replicate the issue and that "the userid parameter is run through our filtering system as an unsigned integer.
nvd
CVE-2006-2018P4HIGHCVSS 7.5v3.0v3.0.0+11 more2006-04-25
CVE-2006-2018 [HIGH] CVE-2006-2018: SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute ar
SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4.
nvd
CVE-2001-0475P4HIGHCVSS 7.5≤ 1.1.5≤ 2.0_beta_22001-06-27
CVE-2001-0475 [HIGH] CVE-2001-0475: index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store tem
index.php in Jelsoft vBulletin does not properly initialize a PHP variable that is used to store template information, which allows remote attackers to execute arbitrary PHP code via special characters in the templatecache parameter.
nvd
CVE-2004-2695P4HIGHCVSS 7.5v3.0v3.0.1+9 more2004-12-31
CVE-2004-2695 [HIGH] CWE-89 CVE-2004-2695: SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jels
SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter. NOTE: this issue might be related to CVE-2006-4267.
nvd
CVE-2006-4272P4HIGHCVSS 7.5v3.5.42006-08-21
CVE-2006-4272 [HIGH] CVE-2006-4272: Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a den
Jelsoft vBulletin 3.5.4 allows remote attackers to register multiple arbitrary users and cause a denial of service (resource consumption) via a large number of requests to register.php. NOTE: the vendor has disputed this vulnerability, stating "If you have the CAPTCHA enabled then the registrations wont even go through. ... if you are talking about the flood be
nvd
CVE-2006-2335P4MEDIUMCVSS 6.5v3.5.82006-05-12
CVE-2006-2335 [MEDIUM] CVE-2006-2335: Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that a
Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and processes them in a way that allows remote authenticated administrators to gain shell access by uploading a CSS file that contains PHP code, then selecting the file via the style chooser, which causes the PHP code to be executed. NOTE: the vendor was unable to reproduce this issue in 3.5.x.
nvd
CVE-2007-1573P4MEDIUMCVSS 6.0≤ 3.6.5v3.6.42007-03-21
CVE-2007-1573 [MEDIUM] CWE-89 CVE-2007-1573: SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authe
SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.
nvd
CVE-2006-1816P4MEDIUMCVSS 5.0v3.5.1v3.5.2+1 more2006-04-18
CVE-2006-1816 [MEDIUM] CVE-2006-1816: PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers
PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and 3.5.4 allows remote attackers to execute arbitrary code via a URL in the systempath parameter to (1) ImpExModule.php, (2) ImpExController.php, and (3) ImpExDisplay.php.
nvd
CVE-2004-0036P4MEDIUMCVSS 5.0v2.3.02004-01-20
CVE-2004-0036 [MEDIUM] CVE-2004-0036: SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote att
SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter.
nvd
CVE-2007-2912P4MEDIUMCVSS 5.0≤ 3.6.42007-05-30
CVE-2007-2912 [MEDIUM] CVE-2007-2912: Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Pe
Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user.
nvd
CVE-2007-3326P4MEDIUMCVSS 5.8v3.0.02007-06-21
CVE-2007-3326 [MEDIUM] CVE-2007-3326: Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect v
Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow remote attackers to redirect visitors to arbitrary local files via a .. (dot dot) in (1) the loc parameter to admincp/index.php and (2) the Hyperlink information URl field for post Topic in showthread.php, enabling cross-site scripting (XSS) and other attacks, a different vulnerability than
nvd
CVE-2005-3021P4LOWCVSS 2.1v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3021 [LOW] CVE-2005-3021: image.php in vBulletin 3.0.9 and earlier allows remote attackers with access to the administrator pa
image.php in vBulletin 3.0.9 and earlier allows remote attackers with access to the administrator panel to upload arbitrary files via the upload action.
nvd
CVE-2006-0080P4MEDIUMCVSS 4.3v3.5.22006-01-04
CVE-2006-0080 [MEDIUM] CVE-2006-0080: Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows r
Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php.
nvd
CVE-2005-3023P4MEDIUMCVSS 4.3v1.0.1v2.0.3+33 more2005-09-21
CVE-2005-3023 [MEDIUM] CVE-2005-3023: Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 and earlier allow remote atta
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) announcement.php, (2) admincalendar.php, (3) bbcode.php, (4) cronadmin.php, (5) email.php, (6) faq.php, (7) forum.php, (8) image.php, (9) language.php, (10) ranks.php, (11) replacement.ph
nvd