CVE-2012-6670

Name of the Vulnerable Software and Affected Versions vBulletin vbActivity module versions prior to 3.0.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the reason parameter in specific API endpoints, such as "actions/nominatemedal.php" or "actions/requestmedal.php".

Recommendations For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the actions/nominatemedal.php and actions/requestmedal.php endpoints until the update is applied. Avoid using the reason parameter in these endpoints until the issue is resolved.