CVE-2007-0830

Name of the Vulnerable Software and Affected Versions: vBulletin version 3.6.4

Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) of vBulletin. These vulnerabilities allow remote authenticated administrators to inject arbitrary web script or HTML via various vectors related to different management functions, including the User Group Manager, User Rank Manager, User Title Manager, BB Code Manager, Attachment Manager, Calendar Manager, and Forums & Moderators functions. It's worth noting that the vendor disputes this issue, stating that modifying HTML is an intended privilege of an administrator.

Recommendations: For version 3.6.4, consider restricting the privileges of administrators to minimize the risk of exploitation, and be cautious when allowing HTML modifications in the Admin Control Panel. As a temporary workaround, consider disabling the affected management functions until a resolution is determined. However, since the vendor disputes this issue, it is essential to evaluate the risk based on the intended privileges of administrators in the context of your specific use case. At the moment, there is no information about a newer version that contains a fix for this vulnerability.