Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
N/A | CWE-79 | N/A | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2011-08-10 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | 0.02192 | 0.50148 |
*Advisory Information* Title: vBulletin Cross Site Scripting Vulnerability Date published: 02-08-2011 Vendors contacted: vBulletin team *Vulnerability Information* Class: XSS flaw Vulnerable page: Admin Login Page (admincp) Remotely Exploitable: Yes Locally Exploitable: No *Vulnerability Description* vBulletin is a community forum solution for a wide range of users, including industry leading companies. A XSS vulnerability has been discovered that could allow an attacker to carry out an action impersonating a legal user, or to obtain access to a user's account. This flaw allows unauthorized disclosure and modification of information, and it allows disruption of service. *Vulnerable versions* 4.1.3pl3, 4.1.4pl3 & 4.1.5pl1 *Non-vulnerable Packages* . vBulletin prior to 4.1.3 *Vendor Information, Solutions and Workarounds* vBulletin team has released patches for this flaw and patch is released on 02-08-2011. https://www.vbulletin.com/forum/showthread.php/385133-vBulletin-4.1.3-4.1.4-and-4.1.5-Security-Patch *Credits* This vulnerability was discovered by Muhammad Haroon from Innovative Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it *Proof of Concept Code* This is a Cross Site Scripting (XSS) vulnerability within vBulletin community forum solution. In order to exploit this flaw following vector would be used. http://www.example.com/forums/admincp/?"><script>alert('Xss_found_By_M.Haroon')</script> *Report Timeline* 30-07-2011: Notifies the vBulletin team about the vulnerability. 31-07-2011: vBulletin Team ask for technical description about the flaw 31-07-2011: Technical Details sent to vbulletin team 02-08-2011: vBulletin notifies that a fix has been produced and is available to the users on 2nd August 2011 03-08-2011: Vulnerability publicly disclosed.
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.