Vanilla Forums < 2.3 - Remote Code Execution Vulnerability

by CIRT Team

Description: Vanilla Forums software (including the latest stable version of 2.3 in its default configuration) is affected by * Host Header Injection CVE-2016-10073 which can be exploited by unauthenticated remote attackers to potentially intercept password reset hash and gain unauthorized access to the victim account or perform web-cache poisoning attacks.

Impact:  With victim user interaction, attacker could potentially intercept the password reset hash. This vulnerability may also lead to web-cache poisoning if the HOST header is used to form links in web responses. See references for more details on this vector.

Mitigation: Updates are available. Please see the references for more information.

Reference URL’s:

• https://open.vanillaforums.com/discussion/33498/critical-security-release-vanilla-2-3-1
• https://open.vanillaforums.com/addon/vanilla-core-2.3.1

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts