Description

Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.

Remediation

References

CVE-2018-16410

Related Vulnerabilities

WordPress Plugin All In One Favicon Cross-Site Scripting (4.6)

Jboss EAP Missing Authorization Vulnerability (CVE-2019-10184)

CKEditor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-31541)

PHP Other Vulnerability (CVE-2015-8866)

WordPress Plugin Google Authenticator-Per User Prompt Timing Attack (0.6)

Severity

Medium

Classification

CVE-2018-16410 CWE-138 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities