2 matches found
CVE-2018-16410
Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php...
Design/Logic Flaw
In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference IDOR via the Poll ID, leading to the ability of a single user to select multiple Poll Options e.g., vote for multiple items...