19 matches found
CVE-2016-10073
Vanilla Forums
CVE-2020-8825
Vanilla Forums 2.6.3 is affected by a stored cross-site scripting (XSS) vulnerability in index.php?p=/dashboard/settings/branding. The issue arises from insufficient input validation in the branding settings page, enabling an attacker to inject payloads that can execute in a user’s browser. The C...
CVE-2011-0526
CVE-2011-0526 is a documented XSS in Vanilla Forums prior to 2.0.17. An attacker could inject arbitrary script/HTML via the Target parameter in the /entry/signin action (index.php). The Red Hat and NVD entries confirm the affected product and vector, with no exploitation details provided in the s...
CVE-2013-3528
Vanilla Forums prior to 2.0.18.6 is vulnerable to a PHP Object Injection in class.utilitycontroller.php (
CVE-2011-3614
CVE-2011-3614 affects Vanilla Forums (Facebook, Twitter, and Embedded plugins) prior to version 2.0.17.9. The issue is an Access Control vulnerability that could impact confidentiality, integrity, and availability. Remediation: upgrade to Vanilla Forums 2.0.17.9 or newer; apply any vendor-supplie...
CVE-2012-4954
Summary (evidence-based): Vanilla Forums, prior to version 2.1a32, is affected by a parameter manipulation vulnerability on the edit-profile page. An authenticated attacker who can perform a man-in-the-middle attack can replace the target UserID and modify arbitrary profile settings, including th...
CVE-2018-18903
The CVE-2018-18903 issue affects Vanilla Forums (Vanilla) in the domGetImages function of the ImportController, where unserialize via a crafted phar archive enables remote code execution without authentication. This is tied to Vanilla Forums prior to 2.6.4. Affected product: Vanilla Forums; vulne...
CVE-2011-3613
Vanilla Forums before 2.0.17.9 contains a cookie handling issue that can lead to information disclosure. The vulnerability affects Vanilla Forums (PHP-based open source forum) and is described across multiple connected entries (CVE-2011-3613; CNVD-2020-13206). Root cause: improper cookie handling...
CVE-2011-1009
CVE-2011-1009 affects Vanilla Forums versions 2.0.17.1–2.0.17.5, where an XSS flaw exists in /vanilla/index.php via the p parameter. The issue is validated by multiple connected sources (NVD entry and Red Hat/CVE pages). The vulnerability enables cross-site scripting within affected installations...
CVE-2011-0908
CVE-2011-0908 concerns Vanilla Forums before 2.0.17.6, with an open redirect vulnerability that can send users to arbitrary sites via a URL in the Target parameter to an unspecified component (open redirect, not CVE-2011-0526). Red Hat entries corroborate the same description. The sources do not ...
CVE-2018-19499
The CVE-2018-19499 issue affects Vanilla Forums (Vanilla) where the unserialize vulnerability is in the Gdn_Format class. A crafted phar-archive can trigger remote code execution, requiring authentication (which can be bypassed according to the advisory) and allowing code execution under the web ...
CVE-2019-9889
Vanilla Forums vulnerability CVE-2019-9889 affects Vanilla before 2.6.4. The flaw is in AddonManager::getSingleIndex where a crafted type value leads to a Directory Traversal with File Inclusion, enabling remote code execution under the web server's context. Reports confirm the issue allows code ...
CVE-2011-0909
Vanilla Forums is affected by CVE-2011-0909 (before 2.0.17.6). The vulnerability is a Cross-site Scripting (XSS) flaw that allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component. Connected Red Hat CVE entries corroborate the same description...
CVE-2013-3527
Vanilla Forums suffers SQL injection in versions before 2.0.18.8. The vulnerability allows remote attackers to inject arbitrary SQL via the Form/Email parameter array during entry/signin or entry/passwordrequest, potentially compromising data. Affected component: Vanilla Forums core (web applicat...
CVE-2011-3812
CVE-2011-3812 affects Vanilla CMS 2.0.16, where a remote attacker can trigger an error message from direct requests to PHP files (notably plugins/Minify/min/utils.php) to reveal the installation path. The documents do not specify a confirmed patch or workaround; remediation details are not provid...
CVE-2011-0910
Vanilla Forums vulnerability CVE-2011-0910 affects versions before 2.0.17.6. The cookie implementation allows remote attackers to spoof signed requests and potentially gain access to arbitrary user accounts via HMAC timing attacks. Root cause: flawed cookie handling enabling timing-based forgery....
CVE-2018-16410
CVE-2018-16410 affects Vanilla before 2.6.1 and allows SQL injection via an invitationID array to /profile/deleteInvitation. The vulnerability relates to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php. According to CVSS, ...
CVE-2014-9685
Summary: CVE-2014-9685 concerns multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums. Affected versions are prior to 2.0.18.13 and 2.1.x prior to 2.1.1. The bugs allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. The documented impact is user-v...
CVE-2018-17571
CVE-2018-17571 affects Vanilla before 2.6.1. The vulnerability is a cross-site scripting (XSS) flaw reachable via the email field in a user profile. The connected CNVD/NVD/OSV entries consistently describe the same issue and identify Vanilla 2.6.1 as the fixed version. Practical impact, per the s...