Description

Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.

Remediation

References

CVE-2018-16410

Related Vulnerabilities

WordPress Plugin Float to Top Button Cross-Site Scripting (2.3.6)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3180)

Apache Tomcat Uncontrolled Resource Consumption Vulnerability (CVE-2020-11996)

WordPress Plugin Google Maps in Posts Cross-Site Scripting (1.5.3)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-6297)

Severity

Medium

Classification

CVE-2018-16410 CWE-138 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities