Code injection

Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for 1 ajax/sortcategories.php and 2 ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations and other activities...