vBulletin Multiple Cross-Site Scripting Vulnerabilities

vendor:

vBulletin

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: vBulletin

Affected Version From: 3.6.2000

Affected Version To: 3.6.2003

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

vBulletin Multiple Cross-Site Scripting Vulnerabilities

vBulletin is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. An attacker could exploit this vulnerability to have arbitrary script code execute in the context of the affected site. This may allow an attacker to steal cookie-based authentication credentials and to launch other attacks.

Mitigation:

Input validation should be used to ensure that user-supplied data does not include malicious HTML or script code.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/21157/info

vBulletin is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

An attacker could exploit this vulnerability to have arbitrary script code execute in the context of the affected site. This may allow an attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions 3.6.0 to 3.6.3 are vulnerable; other versions may also be affected.

http://www.example.com/vbulletin/admincp/index.php?do=buildnavprefs&nojs=0&prefs= "><script>alert("insanity")</script> http://www.example.com/vbulletin/admincp/index.php?do=savenavprefs&nojs=0&navprefs= "><script>alert("insanity")</script>