CVE-2008-3184
vBulletin <= 3.6.10 PL2 and <= 3.7.2 - Cross-Site Scripting via PATH_INFO or do Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2008-3184. PoCs published by Jessica Hope.
AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in vBulletin by crafting multiple image tags with malicious JavaScript payloads split across multiple requests to bypass input sanitization. The payload reconstructs and executes arbitrary JavaScript in the context of the victim's browser.
Description
Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.
Exploits (1)
This exploit demonstrates an HTML injection vulnerability in vBulletin by crafting multiple image tags with malicious JavaScript payloads split across multiple requests to bypass input sanitization. The payload reconstructs and executes arbitrary JavaScript in the context of the victim's browser.