CVE-2006-1040

vBulletin 3.0.12 and 3.5.3 - Cross-Site Scripting via Email Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-1040. PoCs published by imei.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in vBulletin, allowing attacker-supplied HTML and script code to execute in the context of the affected website. The PoC shows how an attacker can inject a script tag into the email field during password editing.

Description

Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 allows remote attackers to inject arbitrary web script or HTML via the email field, which is injected in profile.php but not sanitized in sendmsg.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by imei · textwebappsphp

https://www.exploit-db.com/exploits/27343

View Code ZIP pw:eip

This exploit demonstrates an HTML injection vulnerability in vBulletin, allowing attacker-supplied HTML and script code to execute in the context of the affected website. The PoC shows how an attacker can inject a script tag into the email field during password editing.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vBulletin versions 3.0.12 through 3.5.3

Auth required

Prerequisites: Access to a vBulletin account · Ability to edit the user profile

MITRE ATT&CK