CVE-2007-2908

vBulletin < 3.6.5 - Cross-Site Scripting via Calendar Title Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2908. PoCs published by laurent gaffie.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in vBulletin 3.6.6 and prior versions. By injecting malicious JavaScript into the title field of the calendar event, an attacker can execute arbitrary script code in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vBulletin before 3.6.6 allows remote attackers to inject arbitrary web script or HTML via the title field in a single add action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by laurent gaffie · textwebappsphp

https://www.exploit-db.com/exploits/30047

View Code ZIP pw:eip

This exploit demonstrates an HTML injection vulnerability in vBulletin 3.6.6 and prior versions. By injecting malicious JavaScript into the title field of the calendar event, an attacker can execute arbitrary script code in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vBulletin 3.6.6 and prior

Auth required

Prerequisites: Authenticated access to the vBulletin application

MITRE ATT&CK