ID CVE-2005-3020 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:33:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin before 3.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to css.php, (2) redirect parameter to index.php, (3) email parameter to user.php, (4) goto parameter to language.php, (5) orderby parameter to modlog.php, and the (6) hex, (7) rgb, or (8) expandset parameter to template.php.
{"osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'email' variable upon submission to the /admincp/user.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'email' variable upon submission to the /admincp/user.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19539](https://vulners.com/osvdb/OSVDB:19539)\n[Related OSVDB ID: 19538](https://vulners.com/osvdb/OSVDB:19538)\n[Related OSVDB ID: 19541](https://vulners.com/osvdb/OSVDB:19541)\n[Related OSVDB ID: 19543](https://vulners.com/osvdb/OSVDB:19543)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19542](https://vulners.com/osvdb/OSVDB:19542)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19540", "id": "OSVDB:19540", "title": "vBulletin /admincp/user.php email Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'goto' variable upon submission to the /admincp/language.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'goto' variable upon submission to the /admincp/language.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19539](https://vulners.com/osvdb/OSVDB:19539)\n[Related OSVDB ID: 19540](https://vulners.com/osvdb/OSVDB:19540)\n[Related OSVDB ID: 19538](https://vulners.com/osvdb/OSVDB:19538)\n[Related OSVDB ID: 19543](https://vulners.com/osvdb/OSVDB:19543)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19542](https://vulners.com/osvdb/OSVDB:19542)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19541", "id": "OSVDB:19541", "title": "vBulletin /admincp/language.php goto Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'group' variable upon submission to the /admincp/css.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'group' variable upon submission to the /admincp/css.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19539](https://vulners.com/osvdb/OSVDB:19539)\n[Related OSVDB ID: 19540](https://vulners.com/osvdb/OSVDB:19540)\n[Related OSVDB ID: 19541](https://vulners.com/osvdb/OSVDB:19541)\n[Related OSVDB ID: 19543](https://vulners.com/osvdb/OSVDB:19543)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19542](https://vulners.com/osvdb/OSVDB:19542)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19538", "id": "OSVDB:19538", "title": "vBulletin /admincp/css.php group Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'orderby' variable upon submission to the /admincp/modlog.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'orderby' variable upon submission to the /admincp/modlog.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19539](https://vulners.com/osvdb/OSVDB:19539)\n[Related OSVDB ID: 19540](https://vulners.com/osvdb/OSVDB:19540)\n[Related OSVDB ID: 19538](https://vulners.com/osvdb/OSVDB:19538)\n[Related OSVDB ID: 19541](https://vulners.com/osvdb/OSVDB:19541)\n[Related OSVDB ID: 19543](https://vulners.com/osvdb/OSVDB:19543)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19542", "id": "OSVDB:19542", "title": "vBulletin /admincp/modlog.php orderby Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'hex', 'rgb' or 'expandset' variables upon submission to the /admincp/template.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'hex', 'rgb' or 'expandset' variables upon submission to the /admincp/template.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19539](https://vulners.com/osvdb/OSVDB:19539)\n[Related OSVDB ID: 19540](https://vulners.com/osvdb/OSVDB:19540)\n[Related OSVDB ID: 19538](https://vulners.com/osvdb/OSVDB:19538)\n[Related OSVDB ID: 19541](https://vulners.com/osvdb/OSVDB:19541)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19542](https://vulners.com/osvdb/OSVDB:19542)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19543", "id": "OSVDB:19543", "title": "vBulletin /admincp/template.php Multiple Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "## Vulnerability Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'redirect' or 'loc' variables upon submission to the /admincp/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 3.0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nvBulletin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'redirect' or 'loc' variables upon submission to the /admincp/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://vbulletin.com/\nVendor Specific News/Changelog Entry: http://www.vbulletin.com/forum/showthread.php?p=961409\n[Secunia Advisory ID:16873](https://secuniaresearch.flexerasoftware.com/advisories/16873/)\n[Related OSVDB ID: 19540](https://vulners.com/osvdb/OSVDB:19540)\n[Related OSVDB ID: 19538](https://vulners.com/osvdb/OSVDB:19538)\n[Related OSVDB ID: 19541](https://vulners.com/osvdb/OSVDB:19541)\n[Related OSVDB ID: 19543](https://vulners.com/osvdb/OSVDB:19543)\n[Related OSVDB ID: 19546](https://vulners.com/osvdb/OSVDB:19546)\n[Related OSVDB ID: 19534](https://vulners.com/osvdb/OSVDB:19534)\n[Related OSVDB ID: 19542](https://vulners.com/osvdb/OSVDB:19542)\n[Related OSVDB ID: 19544](https://vulners.com/osvdb/OSVDB:19544)\n[Related OSVDB ID: 19545](https://vulners.com/osvdb/OSVDB:19545)\n[Related OSVDB ID: 19560](https://vulners.com/osvdb/OSVDB:19560)\nOther Advisory URL: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0224.html\nKeyword: BuHa Security-Advisory #3\nISS X-Force ID: 22324\n[CVE-2005-3020](https://vulners.com/cve/CVE-2005-3020)\n[CVE-2005-3025](https://vulners.com/cve/CVE-2005-3025)\nBugtraq ID: 14874\n", "modified": "2005-09-17T13:14:34", "published": "2005-09-17T13:14:34", "href": "https://vulners.com/osvdb/OSVDB:19539", "id": "OSVDB:19539", "title": "vBulletin /admincp/index.php Multiple Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T03:14:31", "bulletinFamily": "exploit", "description": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/css.php group Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform", "modified": "2005-09-19T00:00:00", "published": "2005-09-19T00:00:00", "id": "EDB-ID:26278", "href": "https://www.exploit-db.com/exploits/26278/", "type": "exploitdb", "title": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/css.php group Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/14874/info\r\n\r\nvBulletin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage any of these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/admincp/css.php?do=doedit&dostyleid=1&group=[XSS]", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26278/"}, {"lastseen": "2016-02-03T03:14:57", "bulletinFamily": "exploit", "description": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/language.php goto Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform", "modified": "2005-09-19T00:00:00", "published": "2005-09-19T00:00:00", "id": "EDB-ID:26281", "href": "https://www.exploit-db.com/exploits/26281/", "type": "exploitdb", "title": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/language.php goto Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/14874/info\r\n \r\nvBulletin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage any of these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/admincp/language.php?do=rebuild&goto=[XSS]", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26281/"}, {"lastseen": "2016-02-03T03:14:48", "bulletinFamily": "exploit", "description": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/user.php email Parameter XSS. CVE-2005-3020. Webapps exploit for php platform", "modified": "2005-09-19T00:00:00", "published": "2005-09-19T00:00:00", "id": "EDB-ID:26280", "href": "https://www.exploit-db.com/exploits/26280/", "type": "exploitdb", "title": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/user.php email Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/14874/info\r\n \r\nvBulletin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage any of these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/modcp/user.php?do=gethost&ip=[XSS]\r\nhttp://www.example.com/admincp/user.php?do=emailpassword&email=[XSS]", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26280/"}, {"lastseen": "2016-02-03T03:15:06", "bulletinFamily": "exploit", "description": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/modlog.php orderby Parameter XSS. CVE-2005-3020 . Webapps exploit for php platform", "modified": "2005-09-19T00:00:00", "published": "2005-09-19T00:00:00", "id": "EDB-ID:26282", "href": "https://www.exploit-db.com/exploits/26282/", "type": "exploitdb", "title": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/modlog.php orderby Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/14874/info\r\n \r\nvBulletin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage any of these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/admincp/modlog.php?do=view&orderby=[XSS]", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26282/"}, {"lastseen": "2016-02-03T03:15:19", "bulletinFamily": "exploit", "description": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/template.php Multiple Parameter XSS. CVE-2005-3020. Webapps exploit for php platform", "modified": "2005-09-19T00:00:00", "published": "2005-09-19T00:00:00", "id": "EDB-ID:26283", "href": "https://www.exploit-db.com/exploits/26283/", "type": "exploitdb", "title": "VBulletin 1.0.1 lite/2.x/3.0 /admincp/template.php Multiple Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/14874/info\r\n \r\nvBulletin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage any of these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. \r\n\r\nhttp://www.example.com/admincp/template.php?do=colorconverter&hex=[XSS]\r\nhttp://www.example.com/admincp/template.php?do=colorconverter&rgb=[XSS]\r\nhttp://www.example.com/admincp/template.php?do=modify&expandset=[XSS]", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26283/"}], "nessus": [{"lastseen": "2019-02-21T01:08:46", "bulletinFamily": "scanner", "description": "The version of vBulletin installed on the remote host fails to properly sanitize user-supplied input to a number of parameters and scripts before using it in database queries and to generate dynamic HTML. An attacker can exploit these issues to launch SQL injection and cross-site scripting attacks against the affected application. Note that the affected scripts require moderator or administrator access, with the exception of 'joinrequests.php'.", "modified": "2018-09-17T00:00:00", "id": "VBULLETIN_309.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19760", "published": "2005-09-19T00:00:00", "title": "vBulletin <= 3.0.9 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(19760);\n script_version (\"1.26\");\n\n script_cve_id(\n \"CVE-2005-3019\", \n \"CVE-2005-3020\", \n \"CVE-2005-3024\",\n \"CVE-2005-3025\"\n );\n script_bugtraq_id(14872, 14874);\n\n name[\"english\"] = \"vBulletin <= 3.0.9 Multiple Vulnerabilities\";\n\n script_name(english:name[\"english\"]);\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is vulnerable to\nseveral flaws.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of vBulletin installed on the remote host fails to\nproperly sanitize user-supplied input to a number of parameters and\nscripts before using it in database queries and to generate dynamic\nHTML. An attacker can exploit these issues to launch SQL injection\nand cross-site scripting attacks against the affected application. \nNote that the affected scripts require moderator or administrator\naccess, with the exception of 'joinrequests.php'.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to vBulletin 3.0.9 to resolve many but not all of these issues.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2005-3019\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/09/19\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/17\");\n\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jelsoft:vbulletin\");\nscript_end_attributes();\n\n\n summary[\"english\"] = \"Checks for multiple vulnerabilities in vBulletin <= 3.0.9\";\n script_summary(english:summary[\"english\"]);\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof..\");\n\n script_dependencies(\"vbulletin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/vBulletin\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80, php: TRUE);\n\n# Test an install.\ninstall = get_kb_item_or_exit(\"www/\"+port+ \"/vBulletin\");\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n # nb: 3.0.9 and below are affected.\n if (ver =~ \"^([0-2]\\.|3\\.0\\.[0-9]($|[^0-9]))\") {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
