CVE-2014-3135

Name of the Vulnerable Software and Affected Versions vBulletin version 5.1.1 Alpha 9

Description The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This can be achieved through various means, including the PATH INFO to privatemessage/new/, the folderid parameter to a private message in privatemessage/view, a fragment indicator to /help, or the view parameter to a topic.

Recommendations For vBulletin version 5.1.1 Alpha 9, consider disabling access to the privatemessage/new/, privatemessage/view, /help, and topic view endpoints until a patch is available. Restrict the use of the folderid and view parameters in the affected API endpoints to minimize the risk of exploitation. Avoid using fragment indicators in the /help endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.