CVE-2008-3184

vBulletin <3.7.x - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jessica Hope · htmlwebappsphp

https://www.exploit-db.com/exploits/32017

View Code ZIP pw:eip

References (5)

[Vendor Advisory] http://secunia.com/advisories/30991

[Various Sources] http://www.vbulletin.com/forum/showthread.php?t=277945

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/494049/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/30134

[Third Party Advisory] http://securityreason.com/securityalert/4000

Scores

EPSS 0.0290

EPSS Percentile 86.2%

Classification

CWE

CWE-79

Status draft

Affected Products (17)

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

vbulletin/vbulletin

... and 2 more

Timeline

Published Jul 15, 2008

Tracked Since Feb 18, 2026