Vulnerability Description
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vanillaforums | Vanilla | < 2.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/vanilla/vanilla/compare/b043ae8...9f12b22Third Party Advisory
- https://github.com/vanilla/vanilla/pull/7840Third Party Advisory
- https://hackerone.com/reports/411140ExploitThird Party Advisory
- https://github.com/vanilla/vanilla/compare/b043ae8...9f12b22Third Party Advisory
- https://github.com/vanilla/vanilla/pull/7840Third Party Advisory
- https://hackerone.com/reports/411140ExploitThird Party Advisory
FAQ
What is CVE-2019-9889?
CVE-2019-9889 is a vulnerability with a CVSS score of 2.7 (LOW). In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with...
How severe is CVE-2019-9889?
CVE-2019-9889 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9889?
Check the references section above for vendor advisories and patch information. Affected products include: Vanillaforums Vanilla.