CVE-2002-2235

Jelsoft Vbulletin - Numeric Error

Title source: rule

Description

member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Sp.IC · phpwebappsphp

https://www.exploit-db.com/exploits/22042

View Code ZIP pw:eip

References (4)

[Third Party Advisory] http://www.iss.net/security_center/static/10701.php

[Exploit] http://www.securityfocus.com/bid/6246

[Exploit] http://online.securityfocus.com/archive/1/301076

[Exploit] http://securityreason.com/securityalert/3229

Scores

EPSS 0.0055

EPSS Percentile 67.9%

Details

CWE

CWE-189

Status published

Products (14)

jelsoft/vbulletin 2.0

jelsoft/vbulletin 2.0.1

jelsoft/vbulletin 2.0.2

jelsoft/vbulletin 2.2.0

jelsoft/vbulletin 2.2.1

jelsoft/vbulletin 2.2.2

jelsoft/vbulletin 2.2.3

jelsoft/vbulletin 2.2.4

jelsoft/vbulletin 2.2.5

jelsoft/vbulletin 2.2.6

... and 4 more

Published Dec 31, 2002

Tracked Since Feb 18, 2026