Filtered by vendor Vbulletin
Subscriptions
Filtered by product Vbulletin
Subscriptions
Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-25123 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. | ||||
| CVE-2020-25117 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. | ||||
| CVE-2020-25121 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. | ||||
| CVE-2020-25124 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. | ||||
| CVE-2020-25119 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. | ||||
| CVE-2020-25116 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 4.8 Medium |
| The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. | ||||
| CVE-2020-17496 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 9.8 Critical |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | ||||
| CVE-2020-12720 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 9.8 Critical |
| vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | ||||
| CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2024-08-04 | 9.8 Critical |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | ||||
| CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2024-08-02 | 9.8 Critical |
| vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | ||||