Vulnerability in Vanillaforums Vanilla

CVE-2012-4954

The edit-profile page in Vanilla Forums before 2.1a32 allows remote authenticated users to modify arbitrary profile settings by replacing the UserID value during a man-in-the-middle attack, related to a "parameter manipulation" issue.

EPSS: 0.010 (77.6th percentile) — read the EPSS interpretation.

Affected products

Vanillaforums Vanilla — versions 2.0.0, 2.0.1, 2.0.2
Vanillaforums Vanilla_forums
N/a — versions n/a

Weakness classification (CWE)

CWE-264

References

56483 (vdb-entry, x_refsource_BID)
vanilla-forums-parameter-sec-bypass(80000) (vdb-entry, x_refsource_XF)
VU#611988 (x_refsource_CERT-VN, US Government Resource, third-party-advisory)