U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:vbulletin:vbulletin:4.2.5:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 8 matching records.
Displaying matches 1 through 8.
Vuln ID Summary CVSS Severity
CVE-2023-39777

A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.

Published: September 15, 2023; 9:15:08 PM -0400 		V4.0:(not available)
 V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2019-17271

vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.

Published: October 08, 2019; 9:15:15 AM -0400 		V4.0:(not available)
 V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-17132

vBulletin through 5.5.4 mishandles custom avatars.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 6.8 MEDIUM
CVE-2019-17131

vBulletin before 5.5.4 allows clickjacking.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-17130

vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 6.5 MEDIUM
V2.0: 6.4 MEDIUM
CVE-2018-6200

vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.

Published: January 24, 2018; 11:29:00 PM -0500 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2017-7569

In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.

Published: April 06, 2017; 1:59:00 PM -0400 		V4.0:(not available)
 V3.0: 8.6 HIGH
V2.0: 5.0 MEDIUM
CVE-2010-1077

Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter.

Published: March 23, 2010; 3:30:00 PM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 6.8 MEDIUM