CVE-2008-2744

vBulletin 3.6.10 and 3.7.1 - Cross-Site Scripting via Admin Control Panel Redirect Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2744. PoCs published by anonymous.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in vBulletin by injecting malicious JavaScript via the 'redirect' parameter in the admin control panel. The payload uses a data URI to execute arbitrary script code in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php).

Exploits (1)

exploitdb WORKING POC VERIFIED

by anonymous · textwebappsphp

https://www.exploit-db.com/exploits/31910

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in vBulletin by injecting malicious JavaScript via the 'redirect' parameter in the admin control panel. The payload uses a data URI to execute arbitrary script code in the context of the affected site.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: vBulletin 3.7.1 and 3.6.10

Auth required

Prerequisites: Access to the admin control panel · User interaction to trigger the payload

MITRE ATT&CK