fkie_nvd - fkie_cve-2008-3184

fkie_cve-2008-3184

Vulnerability from fkie_nvd

Published

2008-07-15 18:41

Modified

2024-11-21 00:48

Severity ?

Summary

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/30991	Vendor Advisory
cve@mitre.org	http://securityreason.com/securityalert/4000
cve@mitre.org	http://www.securityfocus.com/archive/1/494049/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/30134
cve@mitre.org	http://www.vbulletin.com/forum/showthread.php?t=277945
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/30991	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/4000
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/494049/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/30134
af854a3a-2127-422b-91ae-364da2661108	http://www.vbulletin.com/forum/showthread.php?t=277945

Impacted products

Vendor	Product	Version
vbulletin	vbulletin	3.6
vbulletin	vbulletin	3.6.1
vbulletin	vbulletin	3.6.2
vbulletin	vbulletin	3.6.3
vbulletin	vbulletin	3.6.4
vbulletin	vbulletin	3.6.5
vbulletin	vbulletin	3.6.6
vbulletin	vbulletin	3.6.7
vbulletin	vbulletin	3.6.8
vbulletin	vbulletin	3.6.9
vbulletin	vbulletin	3.6.10
vbulletin	vbulletin	3.6.10
vbulletin	vbulletin	3.7.0
vbulletin	vbulletin	3.7.1
vbulletin	vbulletin	3.7.1
vbulletin	vbulletin	3.7.1
vbulletin	vbulletin	3.7.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "75BAA1A3-CA91-402B-8CFE-01778E27B318",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABC24504-D78B-45BC-93F1-B5CDCDAA92E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9129788-2938-4412-96D3-4560EA56825A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E8CD7CA-3E0A-428D-A489-F1CC8814D1C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "04B14DA1-E1BE-4FBF-B4CB-10DEF70EFEAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4EC2725-2150-4EE0-9717-79F444033439",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "36575735-8E55-4497-9A7D-261A136EDADC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5B2778F-E108-4C6F-AA54-09A6E426A93D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B0BC5E0-7BC9-490C-9C1C-DE089FCA8DFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A41C2C6E-DE18-4FF1-ACC0-4AA6B98C457B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C16EC27E-E7FE-416C-A518-3BCEEA375E17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.6.10:pl1:*:*:*:*:*:*",
              "matchCriteriaId": "50258677-B723-40C7-A1A0-2F4E9A29E1F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0184837A-244A-4603-B699-674F5E00044E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFE64221-03E3-4443-A394-A033EA1C4D9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.7.1:gold:*:*:*:*:*:*",
              "matchCriteriaId": "5F6E2703-22C1-43ED-B4A1-FB46E8079BE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.7.1:pl1:*:*:*:*:*:*",
              "matchCriteriaId": "3B6EC290-6EFA-4173-835E-B33E1F777F99",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vbulletin:vbulletin:3.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "77C5D6A7-FF1A-42E5-A787-6351B85DF692",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php.  NOTE: this issue can be leveraged to execute arbitrary PHP code."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en vBulletin 3.6.10 PL2 y anteriores, y 3.7.2 versiones anteriores a 3.7.x; permiten a atacantes remotos inyectar secuencias de comandos Web o HTML de su elecci\u00f3n mediante (1) el PATH_INFO (PHP_SELF) o (2) el par\u00e1metro do, como se ha demostrado en peticiones a upload/admincp/faq.php.  NOTA: Esta vulnerabilidad puede ser aprovechada para ejecutar c\u00f3digo PHP arbitrario."
    }
  ],
  "id": "CVE-2008-3184",
  "lastModified": "2024-11-21T00:48:38.830",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2008-07-15T18:41:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/30991"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securityreason.com/securityalert/4000"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/494049/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/30134"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vbulletin.com/forum/showthread.php?t=277945"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/30991"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/4000"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/494049/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/30134"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vbulletin.com/forum/showthread.php?t=277945"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cve-2008-3184

Vulnerability from cvelistv5

Published

2008-07-15 18:03

Modified

2024-08-07 09:28