Vanilla prior to 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vanillaforums vanilla 2.6.1 |