Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3184

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-3184
Last Modified 29 Jan 2009 01:52:30
Published 15 Jul 2008 02:41:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-3184

Summary

Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. NOTE: this issue can be leveraged to execute arbitrary PHP code.

Vulnerable Systems

Application

  • Vbulletin 3.6

  • Vbulletin 3.6.1

  • Vbulletin 3.6.10

  • Vbulletin 3.6.2

  • Vbulletin 3.6.3

  • Vbulletin 3.6.4

  • Vbulletin 3.6.5

  • Vbulletin 3.6.6

  • Vbulletin 3.6.7

  • Vbulletin 3.6.8

  • Vbulletin 3.6.9

  • Vbulletin 3.7.0

  • Vbulletin 3.7.1

  • Vbulletin 3.7.2


References

CONFIRM - http://www.vbulletin.com/forum/showthread.php?t=277945

BID - 30134

BUGTRAQ - 20080708 XSS in admin logs - vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower

SREASON - 4000

SECUNIA - 30991


Last Updated: 27 May 2016 10:48:06