CVE-2014-2021

2014-10-2500:55:02

CWE-79

mitre

web.nvd.nist.gov

cve-2014-2021

cross-site scripting

xss

vbulletin

security vulnerability

remote authenticated users

api request

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

AI Score

Confidence

Low

EPSS

0.005

Percentile

75.8%

JSON

Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Affected configurations

Nvd

Node

vbulletinvbulletinRange≤4.2.2

vbulletinvbulletinMatch5.0.0

vbulletinvbulletinMatch5.0.1

vbulletinvbulletinMatch5.0.2

vbulletinvbulletinMatch5.0.3

vbulletinvbulletinMatch5.0.4

vbulletinvbulletinMatch5.0.5

VendorProductVersionCPE
vbulletinvbulletin*cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*:*
vbulletinvbulletin5.0.0cpe:2.3:a:vbulletin:vbulletin:5.0.0:*:*:*:*:*:*:*
vbulletinvbulletin5.0.1cpe:2.3:a:vbulletin:vbulletin:5.0.1:*:*:*:*:*:*:*
vbulletinvbulletin5.0.2cpe:2.3:a:vbulletin:vbulletin:5.0.2:*:*:*:*:*:*:*
vbulletinvbulletin5.0.3cpe:2.3:a:vbulletin:vbulletin:5.0.3:*:*:*:*:*:*:*
vbulletinvbulletin5.0.4cpe:2.3:a:vbulletin:vbulletin:5.0.4:*:*:*:*:*:*:*
vbulletinvbulletin5.0.5cpe:2.3:a:vbulletin:vbulletin:5.0.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vbulletin	vbulletin	*	cpe:2.3:a:vbulletin:vbulletin::::::::
vbulletin	vbulletin	5.0.0	cpe:2.3:a:vbulletin:vbulletin:5.0.0:::::::*
vbulletin	vbulletin	5.0.1	cpe:2.3:a:vbulletin:vbulletin:5.0.1:::::::*
vbulletin	vbulletin	5.0.2	cpe:2.3:a:vbulletin:vbulletin:5.0.2:::::::*
vbulletin	vbulletin	5.0.3	cpe:2.3:a:vbulletin:vbulletin:5.0.3:::::::*
vbulletin	vbulletin	5.0.4	cpe:2.3:a:vbulletin:vbulletin:5.0.4:::::::*
vbulletin	vbulletin	5.0.5	cpe:2.3:a:vbulletin:vbulletin:5.0.5:::::::*