Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Execution because authenticated administrators have a reachable call to unserialize in the Gdn_Format class.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Vanilla | Vanillaforums | * | 2.5.5 (excluding) |
Vanilla | Vanillaforums | 2.6.0 (including) | 2.6.2 (excluding) |