U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:vbulletin:vbulletin:5.5.0:-:*:*:*:*:*:*
  • CPE Name Search: true
There are 8 matching records.
Displaying matches 1 through 8.
Vuln ID Summary CVSS Severity
CVE-2023-39777

A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.

Published: September 15, 2023; 9:15:08 PM -0400 		V4.0:(not available)
 V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2020-12720

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Published: May 07, 2020; 8:15:12 PM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2019-17271

vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.

Published: October 08, 2019; 9:15:15 AM -0400 		V4.0:(not available)
 V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-17132

vBulletin through 5.5.4 mishandles custom avatars.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 6.8 MEDIUM
CVE-2019-17131

vBulletin before 5.5.4 allows clickjacking.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-17130

vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.

Published: October 04, 2019; 8:15:11 AM -0400 		V4.0:(not available)
 V3.1: 6.5 MEDIUM
V2.0: 6.4 MEDIUM
CVE-2019-16759

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Published: September 24, 2019; 6:15:13 PM -0400 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2010-1077

Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter.

Published: March 23, 2010; 3:30:00 PM -0400 		V4.0:(not available)
 V3.x:(not available)
 V2.0: 6.8 MEDIUM