Vanillaforums: >> Vanilla >> 2.1.12 Security Vulnerabilities
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.
CVSS Score
2.7
EPSS Score
0.003
Published
2019-03-21
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
CVSS Score
7.2
EPSS Score
0.023
Published
2018-11-23
Vanilla before 2.6.1 allows XSS via the email field of a profile.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-28
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
CVSS Score
7.5
EPSS Score
0.683
Published
2017-05-23