vBulletin Multiple HTML Injection Vulnerabilities

Bugtraq ID:	52927
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 06 2012 12:00AM
Updated:	Apr 06 2012 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	VBulletin VBulletin 4.1.10 VBulletin VBulletin 4.1.7 VBulletin VBulletin 4.1.5 VBulletin VBulletin 4.1.4 VBulletin VBulletin 4.1.5 PL1 VBulletin VBulletin 4.1.4 PL3 VBulletin VBulletin 4.1.11
Not Vulnerable:

vBulletin Multiple HTML Injection Vulnerabilities

vBulletin is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

vBulletin versions 4.1.4 through 4.1.11 are vulnerable.

vBulletin Multiple HTML Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

vBulletin Multiple HTML Injection Vulnerabilities

Solution:
Updates are available. Please see the references for details.

vBulletin Multiple HTML Injection Vulnerabilities

References:

• vBulletin Homepage (vBulletin)
  
• vBulletin Security Patch for vBulletin 4.1.4 - 4.1.11 for Suite & Forum - 03/23/ (vBulletin)