CVE-2014-2021

vBulletin < 4.2.2 and 5.0.x-5.0.5 - Authenticated Stored Cross-Site Scripting via XMLRPC API Client Name

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2021. PoCs published by tintinweb.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in vBulletin 4.x/5.x via the xmlrpc API. It injects malicious JavaScript into the admin control panel's API log page, which executes when an admin views the log and clicks on the client name.

Description

Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Exploits (1)

exploitdb WORKING POC

by tintinweb · pythonwebappsphp

https://www.exploit-db.com/exploits/40114

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in vBulletin 4.x/5.x via the xmlrpc API. It injects malicious JavaScript into the admin control panel's API log page, which executes when an admin views the log and clicks on the client name.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 4.x/5.x

Auth required

Prerequisites: API interface enabled · API logging enabled · Valid API key · Admin interaction to trigger payload

MITRE ATT&CK