Vulnerabilities > Vanillaforums > Vanilla > 2.0.17.10

DATE CVE VULNERABILITY TITLE RISK
2019-03-21 CVE-2019-9889 Path Traversal vulnerability in Vanillaforums Vanilla
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class.
network
low complexity
vanillaforums CWE-22
4.0
2018-11-23 CVE-2018-19499 Deserialization of Untrusted Data vulnerability in Vanillaforums Vanilla
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
network
low complexity
vanillaforums CWE-502
6.5
2018-09-28 CVE-2018-17571 Cross-site Scripting vulnerability in Vanillaforums Vanilla
Vanilla before 2.6.1 allows XSS via the email field of a profile.
4.3
2017-05-23 CVE-2016-10073 Information Exposure vulnerability in Vanillaforums Vanilla
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
network
low complexity
vanillaforums CWE-200
5.0
2015-02-25 CVE-2014-9685 Cross-site Scripting vulnerability in Vanillaforums Vanilla and Vanilla Forums
Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums before 2.0.18.13 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4.3
2013-05-10 CVE-2013-3528 PHP Code Injection vulnerability in Vanillaforums Vanilla
Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors, related to "object injection."
network
low complexity
vanillaforums
7.5
2013-05-10 CVE-2013-3527 SQL Injection vulnerability in Vanillaforums Vanilla
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands via the parameter name in the Form/Email array to (1) entry/signin or (2) entry/passwordrequest.
network
low complexity
vanillaforums CWE-89
7.5
2012-11-15 CVE-2012-4954 Permissions, Privileges, and Access Controls vulnerability in Vanillaforums Vanilla and Vanilla Forums
The edit-profile page in Vanilla Forums before 2.1a32 allows remote authenticated users to modify arbitrary profile settings by replacing the UserID value during a man-in-the-middle attack, related to a "parameter manipulation" issue.
3.5