Vanilla Forums < 2.3 - Remote Code Execution Vulnerability

Description: Vanilla Forums software (including the latest stable version of 2.3 in its default configuration) is affected by * Host Header Injection CVE-2016-10073 which can be exploited by unauthenticated remote attackers to potentially intercept password reset hash and gain unauthorized access to the victim account or perform web-cache poisoning attacks.

Impact:  With victim user interaction, attacker could potentially intercept the password reset hash. This vulnerability may also lead to web-cache poisoning if the HOST header is used to form links in web responses. See references for more details on this vector.

Mitigation: Updates are available. Please see the references for more information.

Reference URL’s:

Share