Information security awareness specialists report finding multiple vulnerabilities in vBulletin, a popular software for creating forums on websites. According to the report, successful exploitation of these vulnerabilities would lead to the deployment of inter-site scripting (XSS) attacks.
Below are brief descriptions of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-25124: Remote threat actors can perform inter-site scripting (XSS) attacks through a URI (admincp/attachment.php&do-rebuild&type). This flaw exists due to insufficient disinfection of user-supplied data, so attackers could trick the victim into following a specially crafted link and executing arbitrary HTML code in the browser.
This flaw received a score of 3.4/10.
CVE-2020-25122: Inadequate debugging of user-supplied data would allow malicious hackers to trick users into following a specially designed link and executing arbitrary HTML code in the context of a vulnerable website. This vulnerability received a score of 3.4/10.
CVE-2020-25123: Insufficient disinfection of user-supplied data to vulnerable application allows remote attackers to trick victims into following a specially crafted link and executing arbitrary HTML code in the context of a vulnerable website.
The vulnerability received a score of 3.4/10.
CVE-2020-25120: This flaw exists due to insufficient disinfection of user-supplied data to the target application. A remote threat actor could trick users into following a specially designed link and executing arbitrary HTML code in the context of a vulnerable website.
This vulnerability received a score of 3.4/10, mentioned by information security awareness specialists.
CVE-2020-25119: Inadequate disinfection of user-supplied data would allow threat actors to execute arbitrary HTML, tricking victims into targeting a specially designed link, deploying an XSS attack. The vulnerability received a score of 3.4/10.
CVE-2020-25118: Insufficient disinfection of user-supplied data would allow malicious hackers to execute arbitrary HTML in the context of the affected software, triggering an XSS attack. A successful attack would allow the theft of information, modification of a website with vBulletin, among other malicious activities. The flaw received a score of 3.4/10.
CVE-2020-25115: Inadequate disinfection of user-supplied data would allow threat actors to execute arbitrary HTML, tricking victims into targeting a specially designed link, deploying an XSS attack. The vulnerability received a score of 3.4/10.
CVE-2020-25116: Insufficient debugging of user-supplied data would allow threat actors to trick the victim into following a specially designed link and be able to execute HTML code and arbitrary scripts in the context of a vulnerable website.
According to information security awareness specialists, this vulnerability received a score of 3.4/10.
CVE-2020-25117: Inadequate debugging of user-supplied data allows remote threat actors to trick victims into following specially designed links and running arbitrary scripts in the context of a vulnerable website. The vulnerability received a score of 3.4/10.
CVE-2020-25121: Vulnerability exists due to insufficient disinfection of user-supplied data. A remote attacker can trick the victim into following a specially designed link and executing html code and arbitrary script in the user’s browser in the context of vulnerable website. The flaw received a score of 3.4/10.
All reported vulnerabilities reside in vBulletin version 5.6.3, mentioned by specialists. Although the flaws are not particularly serious, it should be mentioned that no patches are available, so vulnerable website administrators should remain alert upon the release of any updates.