Description

Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.

Remediation

References

CVE-2018-16410

Related Vulnerabilities

Joomla! Core Multiple SQL Injection Vulnerabilities (2.5.0 - 3.9.13)

Apache Traffic Server Improper Input Validation Vulnerability (CVE-2022-25763)

Nexus Repository Manager CVE-2019-15893 Vulnerability (CVE-2019-15893)

WordPress Plugin Web Stories Server-Side Request Forgery (1.24.0)

OpenSSL NULL Pointer Dereference Vulnerability (CVE-2016-7052)

Severity

Medium

Classification

CVE-2018-16410 CWE-138 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities