Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

vBulletin 4.1.3pl3 / 4.1.4pl3 / 4.1.5pl1 Cross Site Scripting

🗓️ 03 Aug 2011 00:00:00Reported by Muhammad HaroonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

vBulletin XSS Vulnerability in Admin Login Page 4.1.3pl3 / 4.1.4pl3 / 4.1.5pl

Code
`  
  
  
*Advisory Information*  
  
Title: vBulletin Cross Site Scripting Vulnerability  
  
Date published: 02-08-2011  
  
Vendors contacted: vBulletin team  
  
  
  
*Vulnerability Information*  
  
Class: XSS flaw  
  
Vulnerable page: Admin Login Page (admincp)  
  
Remotely Exploitable: Yes  
  
Locally Exploitable: No  
  
  
  
*Vulnerability Description*  
  
vBulletin is a community forum solution for a wide range of users,  
including industry leading companies. A XSS vulnerability has been discovered  
that could allow an attacker to carry out an action impersonating a legal user,  
or to obtain access to a user's account.  
  
This flaw allows unauthorized disclosure and modification of information,  
and it allows disruption of service.  
  
  
  
*Vulnerable versions*  
  
4.1.3pl3, 4.1.4pl3 & 4.1.5pl1  
  
  
  
*Non-vulnerable Packages*  
  
. vBulletin prior to 4.1.3  
  
*Vendor Information, Solutions and Workarounds*  
  
vBulletin team has released patches for this flaw and patch is released on  
02-08-2011. https://www.vbulletin.com/forum/showthread.php/385133-vBulletin-4.1.3-4.1.4-and-4.1.5-Security-Patch  
  
  
  
*Credits*  
  
This vulnerability was discovered by Muhammad Haroon from Innovative  
Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it  
  
  
  
*Proof of Concept Code*  
  
This is a Cross Site Scripting (XSS) vulnerability within vBulletin  
community forum solution. In order to exploit this flaw following vector would  
be used.  
  
http://www.example.com/forums/admincp/?"><script>alert('Xss_found_By_M.Haroon')</script>  
  
  
  
*Report Timeline*  
  
30-07-2011: Notifies the vBulletin team about the vulnerability.  
  
31-07-2011: vBulletin Team ask for technical description about the flaw  
  
31-07-2011: Technical Details sent to vbulletin team  
  
02-08-2011: vBulletin notifies that a fix has been produced and is  
available to the users on 2nd August 2011  
  
03-08-2011: Vulnerability publicly disclosed.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Aug 2011 00:00Current
vbulletinxss flawadmin login pageremote exploitabledisclosuremodificationservice disruptionsecurity patchmuhammad haroonowasp chapter leadproof of conceptreport timeline
39