Home/Product/vanillaforums vanilla
Product

vanillaforums vanilla

28 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2020-8825
all versions
index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.
5.4MEDIUM
 CVE-2011-1009
>= 2.0.17.1 and <= 2.0.17.5
Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php via the p parameter.
6.1MEDIUM
 CVE-2011-3614
< 2.0.17.9
An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.
9.8CRITICAL
 CVE-2011-3613
< 2.0.17.9
An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.
7.5HIGH
 CVE-2019-9889
< 2.6.4
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a requir
2.7LOW
 CVE-2018-19499
< 2.5.5
Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable cal
7.2HIGH
 CVE-2018-18903
>= 2.6.0 and < 2.6.4
Vanilla 2.6.x before 2.6.4 allows remote code execution.
9.8CRITICAL
 CVE-2018-17571
< 2.6.1
Vanilla before 2.6.1 allows XSS via the email field of a profile.
6.1MEDIUM
 CVE-2018-16410
all versions
Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboar
6.5MEDIUM
 CVE-2016-10073
<= 2.3.0
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain i
7.5HIGH
 CVE-2014-9685
<= 2.0.18.12
Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums before 2.0.18.13 and 2.1.x before 2.1.1 allow remote attacke
 CVE-2013-3528
<= 2.0.18.7
Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors,
 CVE-2013-3527
<= 2.0.18.7
Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18.8 allow remote attackers to execute arbitrary SQL commands
 CVE-2012-4954
<= 2.0.18.4
The edit-profile page in Vanilla Forums before 2.1a32 allows remote authenticated users to modify arbitrary profile settings by re
 CVE-2011-3812
all versions
Vanilla 2.0.16 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the inst
 CVE-2011-0910
<= 2.0.17.5
The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and con
 CVE-2011-0909
<= 2.0.17.5
Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to inject arbitrary web script
 CVE-2011-0908
<= 2.0.17.5
Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows remote attackers to redirect users to arbitrary web sites and
 CVE-2011-0526
<= 2.0.16
Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forums before 2.0.17 allows remote attackers to inject arbitrary
 CVE-2010-1337
<= 1.1.10
Multiple PHP remote file inclusion vulnerabilities in definitions.php in Lussumo Vanilla 1.1.10, and possibly 0.9.2 and other vers
 CVE-2009-1845
all versions
Cross-site scripting (XSS) vulnerability in ajax/updatecheck.php in Lussumo Vanilla 1.1.5 and 1.1.7 allows remote attackers to inj
 CVE-2008-3874
<= 1.1.5-rc1
Cross-site scripting (XSS) vulnerability in account.php in Lussumo Vanilla 1.1.5-rc1, 1.1.4, and earlier allows remote authenticat
 CVE-2008-3760
<= 1.1.4
Cross-site request forgery (CSRF) vulnerability in the sign-out page in Vanilla 1.1.4 and earlier allows remote attackers to hijac
 CVE-2008-3759
<= 1.1.4
Cross-site request forgery (CSRF) vulnerability in ajax/UpdateCheck.php in Vanilla 1.1.4 and earlier has unknown impact and remote
 CVE-2008-3758
<= 1.1.4
Multiple cross-site scripting (XSS) vulnerabilities in Lussumo Vanilla 1.1.4 and earlier (1) allow remote attackers to inject arbi
 CVE-2007-5644
<= 1.1.3
Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, wh
 CVE-2007-5643
<= 1.1.3
Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL comman
 CVE-2006-3850
<= 1.0.1
PHP remote file inclusion vulnerability in upgrader.php in Vanilla CMS 1.0.1 and earlier, when /conf/old_settings.php exists, allo
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh