CVE-2018-16410

Name of the Vulnerable Software and Affected Versions Vanilla versions prior to 2.6.1

Description The issue allows SQL injection via an invitationID array to the "/profile/deleteInvitation" API endpoint, related to the applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php files.

Recommendations For versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/profile/deleteInvitation" API endpoint until a patch is available. Avoid using the invitationID array in the affected API endpoint until the issue is resolved.