VYPR
Vendor

Vanilla Forums

Products
4
CVEs
13
Across products
13
Status
Private

Products

4

Recent CVEs

13
  • CVE-2016-10073HigMay 23, 2017
    risk 0.58cvss 7.5epss 0.84

    The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.

  • CVE-2017-1000432HigJan 2, 2018
    risk 0.55cvss 8.0epss 0.02

    Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access

  • CVE-2018-16410MedSep 3, 2018
    risk 0.42cvss 6.5epss 0.01

    Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.

  • CVE-2012-6557May 23, 2013
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) AboutMe/Emp, (6)…

  • CVE-2012-6556May 23, 2013
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page. NOTE: some of these details…

  • CVE-2012-6555May 23, 2013
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title.

  • CVE-2014-9685Feb 25, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums before 2.0.18.13 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2013-3528May 10, 2013
    risk 0.00cvss epss 0.06

    Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors, related to "object injection."

  • CVE-2013-3527May 10, 2013
    risk 0.00cvss epss 0.04

    Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.

  • CVE-2011-0910Feb 8, 2011
    risk 0.00cvss epss 0.01

    The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks.

  • CVE-2011-0909Feb 8, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component, a different vulnerability than CVE-2011-0526.

  • CVE-2011-0908Feb 8, 2011
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the Target parameter to an unspecified component, a different vulnerability than CVE-2011-0526.

  • CVE-2011-0526Feb 8, 2011
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forums before 2.0.17 allows remote attackers to inject arbitrary web script or HTML via the Target parameter in a /entry/signin action.