CVE-2007-4453

Name of the Vulnerable Software and Affected Versions vBulletin version 3.6.8

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web code or HTML via specific parameters to various PHP files, including the s parameter to "index.php" and the q parameter to several other PHP files, such as "faq.php", "member.php", "memberlist.php", "calendar.php", "search.php", "forumdisplay.php", "showgroups.php", "online.php", and "sendmessage.php". It's worth noting that the vendor has disputed these issues, stating they cannot reproduce them, and the researcher who identified these vulnerabilities is known to be unreliable.

Recommendations For vBulletin version 3.6.8, as a temporary workaround, consider restricting access to the parameters s and q in the affected PHP files until a patch is available. Additionally, restrict the use of the affected PHP files, such as "faq.php", "member.php", "memberlist.php", "calendar.php", "search.php", "forumdisplay.php", "showgroups.php", "online.php", and "sendmessage.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.