Vanilla Forums < 2.3 - Remote Code Execution Vulnerability
by CIRT Team
Description: Vanilla Forums software (including the latest stable version of 2.3 in its default configuration) is affected by * Host Header Injection CVE-2016-10073 which can be exploited by unauthenticated remote attackers to potentially intercept password reset hash and gain unauthorized access to the victim account or perform web-cache poisoning attacks.
Impact: With victim user interaction, attacker could potentially intercept the password reset hash. This vulnerability may also lead to web-cache poisoning if the HOST header is used to form links in web responses. See references for more details on this vector.
Mitigation: Updates are available. Please see the references for more information.
Reference URL’s:
- https://open.vanillaforums.com/discussion/33498/critical-security-release-vanilla-2-3-1
- https://open.vanillaforums.com/addon/vanilla-core-2.3.1
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
