Vanilla Forums
Products
4- 10 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
13| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10073 | Hig | 0.58 | 7.5 | 0.84 | May 23, 2017 | The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request. | ||
| CVE-2017-1000432 | Hig | 0.55 | 8.0 | 0.02 | Jan 2, 2018 | Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access | ||
| CVE-2018-16410 | Med | 0.42 | 6.5 | 0.01 | Sep 3, 2018 | Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php. | ||
| CVE-2012-6557 | 0.03 | — | 0.02 | May 23, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) AboutMe/Emp, (6)… | |||
| CVE-2012-6556 | 0.03 | — | 0.02 | May 23, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page. NOTE: some of these details… | |||
| CVE-2012-6555 | 0.03 | — | 0.02 | May 23, 2013 | Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title. | |||
| CVE-2014-9685 | 0.00 | — | 0.02 | Feb 25, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums before 2.0.18.13 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2013-3528 | 0.00 | — | 0.06 | May 10, 2013 | Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors, related to "object injection." | |||
| CVE-2013-3527 | 0.00 | — | 0.04 | May 10, 2013 | Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest. | |||
| CVE-2011-0910 | 0.00 | — | 0.01 | Feb 8, 2011 | The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks. | |||
| CVE-2011-0909 | 0.00 | — | 0.01 | Feb 8, 2011 | Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component, a different vulnerability than CVE-2011-0526. | |||
| CVE-2011-0908 | 0.00 | — | 0.01 | Feb 8, 2011 | Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the Target parameter to an unspecified component, a different vulnerability than CVE-2011-0526. | |||
| CVE-2011-0526 | 0.00 | — | 0.01 | Feb 8, 2011 | Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forums before 2.0.17 allows remote attackers to inject arbitrary web script or HTML via the Target parameter in a /entry/signin action. |
- risk 0.58cvss 7.5epss 0.84
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
- risk 0.55cvss 8.0epss 0.02
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
- risk 0.42cvss 6.5epss 0.01
Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.
- CVE-2012-6557May 23, 2013risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) AboutMe/RealName, (2) AboutMe/Name, (3) AboutMe/Quote, (4) AboutMe/Loc, (5) AboutMe/Emp, (6)…
- CVE-2012-6556May 23, 2013risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNames plugin 1.1.1 for Vanilla Forums allow remote attackers to inject arbitrary web script or HTML via the (1) User/FirstName or (2) User/LastName parameter to the edit user page. NOTE: some of these details…
- CVE-2012-6555May 23, 2013risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1.1 for Vanilla Forums allows remote attackers to inject arbitrary web script or HTML via the discussion title.
- CVE-2014-9685Feb 25, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums before 2.0.18.13 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-3528May 10, 2013risk 0.00cvss —epss 0.06
Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors, related to "object injection."
- CVE-2013-3527May 10, 2013risk 0.00cvss —epss 0.04
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
- CVE-2011-0910Feb 8, 2011risk 0.00cvss —epss 0.01
The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks.
- CVE-2011-0909Feb 8, 2011risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script or HTML via the p parameter to an unspecified component, a different vulnerability than CVE-2011-0526.
- CVE-2011-0908Feb 8, 2011risk 0.00cvss —epss 0.01
Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the Target parameter to an unspecified component, a different vulnerability than CVE-2011-0526.
- CVE-2011-0526Feb 8, 2011risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forums before 2.0.17 allows remote attackers to inject arbitrary web script or HTML via the Target parameter in a /entry/signin action.