Summary
| Detail | |||
|---|---|---|---|
| Vendor | Jelsoft | First view | 2006-06-27 |
| Product | Vbulletin | Last view | 2007-05-30 |
| Version | 3.5.0_rc1 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:jelsoft:vbulletin | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 5 | 2007-05-30 | CVE-2007-2912 | Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user. |
| 8.5 | 2007-05-30 | CVE-2007-2911 | SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin before 3.6.6 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached After" field (GPC['search']['datelineafter'] variable), a related issue to CVE-2007-1573. |
| 4.3 | 2007-05-30 | CVE-2007-2910 | Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.6.7 PL1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_367_xss_fix_plugin.xml update, a related issue to CVE-2007-2909. |
| 3.5 | 2007-05-30 | CVE-2007-2909 | Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin 3.6.x before 3.6.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the vb_calendar366_xss_fix_plugin.xml update. |
| 4.3 | 2007-05-30 | CVE-2007-2908 | Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbitrary web script or HTML via the title field in a single add action. |
| 6 | 2007-03-21 | CVE-2007-1573 | SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field. |
| 4.3 | 2007-03-08 | CVE-2007-1342 | Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form. |
| 7.5 | 2007-03-06 | CVE-2007-1292 | SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve." |
| 2.6 | 2006-06-27 | CVE-2006-3253 | Cross-site scripting (XSS) vulnerability in member.php in vBulletin 3.5.x allows remote attackers to inject arbitrary web script or HTML via the u parameter. NOTE: the vendor has disputed this report, stating that they have been unable to replicate the issue and that "the userid parameter is run through our filtering system as an unsigned integer. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 50% (1) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
| 50% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 38616 | vBulletin User Infraction Permissions Information Disclosure |
| 38147 | vBulletin admincp/attachment.php Attached After Field SQL Injection |
| 35157 | vBulletin vb_367_xss_fix_plugin.xml Update Unspecified XSS |
| 35156 | vBulletin vb_calendar366_xss_fix_plugin.xml Update Unspecified XSS |
| 35155 | vBulletin calendar.php title Field XSS |
| 34945 | vBulletin admincp/index.php add rss url Form XSS |
| 34070 | vBulletin admincp/attachment.php Attached Before Field SQL Injection |
| 33835 | vBulletin inlinemod.php postids Parameter SQL Injection |
| 27508 | vBulletin member.php u Parameter XSS |
