Product:

Vanilla

(Vanillaforums)
Repositories https://github.com/vanillaforums/Garden
#Vulnerabilities 18
Date Id Summary Products Score Patch Annotated
2020-01-22 CVE-2011-3613 An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled. Vanilla N/A
2017-05-23 CVE-2016-10073 The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request. Vanilla 7.5
2019-03-21 CVE-2019-9889 In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server. Vanilla 2.7
2018-11-23 CVE-2018-19499 Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class. Vanilla 7.2
2018-11-03 CVE-2018-18903 Vanilla 2.6.x before 2.6.4 allows remote code execution. Vanilla 9.8
2018-09-28 CVE-2018-17571 Vanilla before 2.6.1 allows XSS via the email field of a profile. Vanilla 6.1
2018-09-03 CVE-2018-16410 Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php. Vanilla 6.5
2011-09-23 CVE-2011-3812 Vanilla 2.0.16 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by plugins/Minify/min/utils.php and certain other files. Vanilla N/A