Vulnerabilites related to invisioncommunity - invision_power_board
CVE-2009-3974 (GCVE-0-2009-3974)
Vulnerability from cvelistv5
Published
2009-11-18 23:00
Modified
2024-09-16 17:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number.
References
| ▼ | URL | Tags |
|---|---|---|
| http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/ | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2009/2413 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:45:50.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/"
},
{
"name": "ADV-2009-2413",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2413"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-11-18T23:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/"
},
{
"name": "ADV-2009-2413",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2413"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3974",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/",
"refsource": "CONFIRM",
"url": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/"
},
{
"name": "ADV-2009-2413",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2413"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3974",
"datePublished": "2009-11-18T23:00:00Z",
"dateReserved": "2009-11-18T00:00:00Z",
"dateUpdated": "2024-09-16T17:17:57.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-8278 (GCVE-0-2019-8278)
Vulnerability from cvelistv5
Published
2019-03-02 01:00
Modified
2024-09-16 17:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored XSS
Summary
Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/107258 | vdb-entry, x_refsource_BID | |
| https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kaspersky Lab | Invision Power Board |
Version: 3.3.1 - 3.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:31.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107258",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107258"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Invision Power Board",
"vendor": "Kaspersky Lab",
"versions": [
{
"status": "affected",
"version": "3.3.1 - 3.4.8"
}
]
}
],
"datePublic": "2019-02-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-06T10:57:01",
"orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988",
"shortName": "Kaspersky"
},
"references": [
{
"name": "107258",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107258"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerability@kaspersky.com",
"DATE_PUBLIC": "2019-02-14T00:00:00",
"ID": "CVE-2019-8278",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Invision Power Board",
"version": {
"version_data": [
{
"version_value": "3.3.1 - 3.4.8"
}
]
}
}
]
},
"vendor_name": "Kaspersky Lab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107258",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107258"
},
{
"name": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html",
"refsource": "MISC",
"url": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988",
"assignerShortName": "Kaspersky",
"cveId": "CVE-2019-8278",
"datePublished": "2019-03-02T01:00:00Z",
"dateReserved": "2019-02-12T00:00:00",
"dateUpdated": "2024-09-16T17:43:33.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5106 (GCVE-0-2014-5106)
Vulnerability from cvelistv5
Published
2014-07-28 15:00
Modified
2024-08-06 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/94693 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/archive/1/532822/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/68705 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:37.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ipboard-index-referer-xss(94693)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94693"
},
{
"name": "20140716 IP.Board 3.4 cross-site scripting in Referer header",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/532822/100/0/threaded"
},
{
"name": "68705",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68705"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ipboard-index-referer-xss(94693)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94693"
},
{
"name": "20140716 IP.Board 3.4 cross-site scripting in Referer header",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/532822/100/0/threaded"
},
{
"name": "68705",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68705"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5106",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ipboard-index-referer-xss(94693)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94693"
},
{
"name": "20140716 IP.Board 3.4 cross-site scripting in Referer header",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/532822/100/0/threaded"
},
{
"name": "68705",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/68705"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-5106",
"datePublished": "2014-07-28T15:00:00",
"dateReserved": "2014-07-28T00:00:00",
"dateUpdated": "2024-08-06T11:34:37.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3725 (GCVE-0-2013-3725)
Vulnerability from cvelistv5
Published
2020-02-12 18:05
Modified
2024-08-06 16:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:21:59.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T18:05:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3725",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742",
"refsource": "MISC",
"url": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3725",
"datePublished": "2020-02-12T18:05:38",
"dateReserved": "2013-05-30T00:00:00",
"dateUpdated": "2024-08-06T16:21:59.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8898 (GCVE-0-2017-8898)
Vulnerability from cvelistv5
Published
2017-05-11 17:00
Modified
2024-09-17 01:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option.
References
| ▼ | URL | Tags |
|---|---|---|
| http://zeroday.insecurity.zone/exploits/ipb_owned.txt | x_refsource_MISC | |
| https://twitter.com/insecurity/status/862154908895780864 | x_refsource_MISC | |
| https://twitter.com/sxcurity/status/862284967715381248 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/\u0026action=create request. This is related to the \"\u003c\u003e Source\" option."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-11T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/\u0026action=create request. This is related to the \"\u003c\u003e Source\" option."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt",
"refsource": "MISC",
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"name": "https://twitter.com/insecurity/status/862154908895780864",
"refsource": "MISC",
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"name": "https://twitter.com/sxcurity/status/862284967715381248",
"refsource": "MISC",
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8898",
"datePublished": "2017-05-11T17:00:00Z",
"dateReserved": "2017-05-11T00:00:00Z",
"dateUpdated": "2024-09-17T01:10:33.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-5159 (GCVE-0-2009-5159)
Vulnerability from cvelistv5
Published
2020-03-13 14:20
Modified
2024-08-07 07:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.securityfocus.com/bid/37263/info | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/33394 | x_refsource_MISC | |
| https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://community.invisionpower.com/topic/300051-invision-power-board-305-released/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:32:23.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/37263/info"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/33394"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-13T14:20:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/37263/info"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/33394"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-5159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.securityfocus.com/bid/37263/info",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/37263/info"
},
{
"name": "https://www.exploit-db.com/exploits/33394",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/33394"
},
{
"name": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html"
},
{
"name": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/",
"refsource": "MISC",
"url": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-5159",
"datePublished": "2020-03-13T14:20:59",
"dateReserved": "2020-03-13T00:00:00",
"dateUpdated": "2024-08-07T07:32:23.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3149 (GCVE-0-2014-3149)
Vulnerability from cvelistv5
Published
2014-07-03 14:00
Modified
2024-08-06 10:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/532618/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.christian-schneider.net/advisories/CVE-2014-3149.txt | x_refsource_MISC | |
| http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/67164 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:35:56.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20140701 CVE-2014-3149 - Reflected Cross-Site Scripting (XSS) in \"Invision Power IP.Board\"",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/532618/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update"
},
{
"name": "67164",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20140701 CVE-2014-3149 - Reflected Cross-Site Scripting (XSS) in \"Invision Power IP.Board\"",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/532618/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update"
},
{
"name": "67164",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3149",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20140701 CVE-2014-3149 - Reflected Cross-Site Scripting (XSS) in \"Invision Power IP.Board\"",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/532618/100/0/threaded"
},
{
"name": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt",
"refsource": "MISC",
"url": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt"
},
{
"name": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html"
},
{
"name": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update",
"refsource": "CONFIRM",
"url": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update"
},
{
"name": "67164",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/67164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3149",
"datePublished": "2014-07-03T14:00:00",
"dateReserved": "2014-05-02T00:00:00",
"dateUpdated": "2024-08-06T10:35:56.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2226 (GCVE-0-2012-2226)
Vulnerability from cvelistv5
Published
2020-01-09 20:23
Modified
2024-08-06 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/52998 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/74855 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "52998",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52998"
},
{
"name": "74855",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74855"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-09T20:23:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "52998",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52998"
},
{
"name": "74855",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74855"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "52998",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52998"
},
{
"name": "74855",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74855"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2226",
"datePublished": "2020-01-09T20:23:36",
"dateReserved": "2012-04-11T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6812 (GCVE-0-2015-6812)
Vulnerability from cvelistv5
Published
2015-09-04 17:00
Modified
2024-09-16 17:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.invisionpower.com/release-notes/40121-r22/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:29:24.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://community.invisionpower.com/release-notes/40121-r22/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-09-04T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://community.invisionpower.com/release-notes/40121-r22/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6812",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.invisionpower.com/release-notes/40121-r22/",
"refsource": "CONFIRM",
"url": "https://community.invisionpower.com/release-notes/40121-r22/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6812",
"datePublished": "2015-09-04T17:00:00Z",
"dateReserved": "2015-09-04T00:00:00Z",
"dateUpdated": "2024-09-16T17:08:58.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8899 (GCVE-0-2017-8899)
Vulnerability from cvelistv5
Published
2017-05-11 17:00
Modified
2024-09-17 00:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation.
References
| ▼ | URL | Tags |
|---|---|---|
| http://zeroday.insecurity.zone/exploits/ipb_owned.txt | x_refsource_MISC | |
| https://twitter.com/insecurity/status/862154908895780864 | x_refsource_MISC | |
| https://twitter.com/sxcurity/status/862284967715381248 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-11T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8899",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt",
"refsource": "MISC",
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"name": "https://twitter.com/insecurity/status/862154908895780864",
"refsource": "MISC",
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"name": "https://twitter.com/sxcurity/status/862284967715381248",
"refsource": "MISC",
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8899",
"datePublished": "2017-05-11T17:00:00Z",
"dateReserved": "2017-05-11T00:00:00Z",
"dateUpdated": "2024-09-17T00:31:12.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39250 (GCVE-0-2021-39250)
Vulnerability from cvelistv5
Published
2021-08-17 22:02
Modified
2024-08-04 02:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).
References
| ▼ | URL | Tags |
|---|---|---|
| https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | x_refsource_MISC | |
| https://invisioncommunity.com/release-notes/4651-r102/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:40.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T22:02:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-39250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/",
"refsource": "MISC",
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"name": "https://invisioncommunity.com/release-notes/4651-r102/",
"refsource": "MISC",
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-39250",
"datePublished": "2021-08-17T22:02:12",
"dateReserved": "2021-08-17T00:00:00",
"dateUpdated": "2024-08-04T02:06:40.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3424 (GCVE-0-2010-3424)
Vulnerability from cvelistv5
Published
2010-09-16 21:00
Modified
2024-09-17 00:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/ | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/2328 | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/43053 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/41314 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:11:44.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/"
},
{
"name": "ADV-2010-2328",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2328"
},
{
"name": "43053",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/43053"
},
{
"name": "41314",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41314"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-09-16T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/"
},
{
"name": "ADV-2010-2328",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2328"
},
{
"name": "43053",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/43053"
},
{
"name": "41314",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41314"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3424",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/",
"refsource": "CONFIRM",
"url": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/"
},
{
"name": "ADV-2010-2328",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2328"
},
{
"name": "43053",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/43053"
},
{
"name": "41314",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41314"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3424",
"datePublished": "2010-09-16T21:00:00Z",
"dateReserved": "2010-09-16T00:00:00Z",
"dateUpdated": "2024-09-17T00:55:54.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-2564 (GCVE-0-2016-2564)
Vulnerability from cvelistv5
Published
2017-04-23 15:00
Modified
2024-08-05 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9 | x_refsource_MISC | |
| https://invisionpower.com/release-notes/419-r37/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:20.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://invisionpower.com/release-notes/419-r37/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-23T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://invisionpower.com/release-notes/419-r37/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9",
"refsource": "MISC",
"url": "https://medium.com/@iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
},
{
"name": "https://invisionpower.com/release-notes/419-r37/",
"refsource": "MISC",
"url": "https://invisionpower.com/release-notes/419-r37/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2564",
"datePublished": "2017-04-23T15:00:00",
"dateReserved": "2016-02-25T00:00:00",
"dateUpdated": "2024-08-05T23:32:20.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39249 (GCVE-0-2021-39249)
Vulnerability from cvelistv5
Published
2021-08-17 22:02
Modified
2024-08-04 02:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | x_refsource_MISC | |
| https://invisioncommunity.com/release-notes/4651-r102/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:40.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T22:02:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-39249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/",
"refsource": "MISC",
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"name": "https://invisioncommunity.com/release-notes/4651-r102/",
"refsource": "MISC",
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-39249",
"datePublished": "2021-08-17T22:02:27",
"dateReserved": "2021-08-17T00:00:00",
"dateUpdated": "2024-08-04T02:06:40.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4928 (GCVE-0-2014-4928)
Vulnerability from cvelistv5
Published
2018-03-20 21:00
Modified
2024-08-06 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-20T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4928",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html",
"refsource": "MISC",
"url": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4928",
"datePublished": "2018-03-20T21:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8897 (GCVE-0-2017-8897)
Vulnerability from cvelistv5
Published
2017-05-11 17:00
Modified
2024-09-16 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF8 Converter vulnerability can easily be used to make a malicious announcement affecting any Invision Power Board user who views the announcement.
References
| ▼ | URL | Tags |
|---|---|---|
| http://zeroday.insecurity.zone/exploits/ipb_owned.txt | x_refsource_MISC | |
| https://twitter.com/insecurity/status/862154908895780864 | x_refsource_MISC | |
| https://twitter.com/sxcurity/status/862284967715381248 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF8 Converter vulnerability can easily be used to make a malicious announcement affecting any Invision Power Board user who views the announcement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-11T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8897",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF8 Converter vulnerability can easily be used to make a malicious announcement affecting any Invision Power Board user who views the announcement."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt",
"refsource": "MISC",
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"name": "https://twitter.com/insecurity/status/862154908895780864",
"refsource": "MISC",
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"name": "https://twitter.com/sxcurity/status/862284967715381248",
"refsource": "MISC",
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8897",
"datePublished": "2017-05-11T17:00:00Z",
"dateReserved": "2017-05-11T00:00:00Z",
"dateUpdated": "2024-09-16T23:40:53.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6174 (GCVE-0-2016-6174)
Vulnerability from cvelistv5
Published
2016-07-12 19:00
Modified
2024-08-06 01:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2016/Jul/19 | mailing-list, x_refsource_FULLDISC | |
| http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html | vendor-advisory, x_refsource_APPLE | |
| https://www.exploit-db.com/exploits/40084/ | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/91732 | vdb-entry, x_refsource_BID | |
| https://support.apple.com/HT207170 | x_refsource_CONFIRM | |
| http://karmainsecurity.com/KIS-2016-11 | x_refsource_MISC | |
| https://invisionpower.com/release-notes/4113-r44/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:22:20.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160707 [KIS-2016-11] IPS Community Suite \u003c= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Jul/19"
},
{
"name": "APPLE-SA-2016-09-20",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"name": "40084",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40084/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html"
},
{
"name": "91732",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91732"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/HT207170"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2016-11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://invisionpower.com/release-notes/4113-r44/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-20T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160707 [KIS-2016-11] IPS Community Suite \u003c= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Jul/19"
},
{
"name": "APPLE-SA-2016-09-20",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"name": "40084",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40084/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html"
},
{
"name": "91732",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91732"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/HT207170"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2016-11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://invisionpower.com/release-notes/4113-r44/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160707 [KIS-2016-11] IPS Community Suite \u003c= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Jul/19"
},
{
"name": "APPLE-SA-2016-09-20",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"name": "40084",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40084/"
},
{
"name": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html"
},
{
"name": "91732",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91732"
},
{
"name": "https://support.apple.com/HT207170",
"refsource": "CONFIRM",
"url": "https://support.apple.com/HT207170"
},
{
"name": "http://karmainsecurity.com/KIS-2016-11",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2016-11"
},
{
"name": "https://invisionpower.com/release-notes/4113-r44/",
"refsource": "CONFIRM",
"url": "https://invisionpower.com/release-notes/4113-r44/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6174",
"datePublished": "2016-07-12T19:00:00",
"dateReserved": "2016-07-06T00:00:00",
"dateUpdated": "2024-08-06T01:22:20.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5692 (GCVE-0-2012-5692)
Vulnerability from cvelistv5
Published
2012-10-31 10:00
Modified
2024-09-16 18:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/ | x_refsource_CONFIRM | |
| http://secunia.com/advisories/51104 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/56288 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/"
},
{
"name": "51104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51104"
},
{
"name": "56288",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56288"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-10-31T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/"
},
{
"name": "51104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51104"
},
{
"name": "56288",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56288"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5692",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/",
"refsource": "CONFIRM",
"url": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/"
},
{
"name": "51104",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51104"
},
{
"name": "56288",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56288"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5692",
"datePublished": "2012-10-31T10:00:00Z",
"dateReserved": "2012-10-29T00:00:00Z",
"dateUpdated": "2024-09-16T18:49:53.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9239 (GCVE-0-2014-9239)
Vulnerability from cvelistv5
Published
2014-12-03 21:00
Modified
2024-09-16 17:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/ | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2014/Nov/20 | mailing-list, x_refsource_FULLDISC | |
| http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:40:25.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/"
},
{
"name": "20141109 IP.Board \u003c= 3.4.7 SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/20"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-03T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/"
},
{
"name": "20141109 IP.Board \u003c= 3.4.7 SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/20"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9239",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/",
"refsource": "CONFIRM",
"url": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/"
},
{
"name": "20141109 IP.Board \u003c= 3.4.7 SQL Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Nov/20"
},
{
"name": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/",
"refsource": "CONFIRM",
"url": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9239",
"datePublished": "2014-12-03T21:00:00Z",
"dateReserved": "2014-12-03T00:00:00Z",
"dateUpdated": "2024-09-16T17:38:45.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-03-20 21:29
Modified
2024-11-21 02:11
Severity ?
Summary
SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BB9E913-97C4-486D-B5A0-2E1D79DD20E3",
"versionEndExcluding": "3.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Invision Power Board (aka IPB or IP.Board) before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the cId parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Invision Power Board (tambi\u00e9n conocido como IPB o IP.Board), en versiones anteriores a la 3.4.6, permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el par\u00e1metro cld."
}
],
"id": "CVE-2014-4928",
"lastModified": "2024-11-21T02:11:07.483",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-20T21:29:00.780",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://dringen.blogspot.com.au/2014/07/invision-power-board-blind-sql.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-09-04 17:59
Modified
2025-04-12 10:46
Severity ?
Summary
Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56BC0B55-7A90-4034-9F77-E9E599613783",
"versionEndIncluding": "4.0.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL."
},
{
"lang": "es",
"value": "Vulnerabilidad en Invision Power Services IPS Community Suite (tambi\u00e9n conocido como Invision Power Board, IPB o Power Board) en versiones anteriores a 4.0.12.1, permite a atacantes remotos causar una denegaci\u00f3n de servicio (bucle y consumo de memoria) a trav\u00e9s de una URL manipulada."
}
],
"id": "CVE-2015-6812",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-09-04T17:59:00.107",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://community.invisionpower.com/release-notes/40121-r22/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://community.invisionpower.com/release-notes/40121-r22/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-17 23:15
Modified
2024-11-21 06:19
Severity ?
Summary
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://invisioncommunity.com/release-notes/4651-r102/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://invisioncommunity.com/release-notes/4651-r102/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11BFD544-1F71-48B6-909E-7E54E71C6528",
"versionEndExcluding": "4.6.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function."
},
{
"lang": "es",
"value": "Invision Community (tambi\u00e9n se conoce como IPS Community Suite o IP-Board) versiones anteriores a 4.6.5.1, permite un ataque de tipo XSS reflejado porque los nombres de los archivos subidos se vuelven predecibles mediante un ataque de fuerza bruta contra la funci\u00f3n PHP mt_rand."
}
],
"id": "CVE-2021-39249",
"lastModified": "2024-11-21T06:19:01.370",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-17T23:15:07.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-11 17:29
Modified
2025-04-20 01:37
Severity ?
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF8 Converter vulnerability can easily be used to make a malicious announcement affecting any Invision Power Board user who views the announcement.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://twitter.com/insecurity/status/862154908895780864 | Third Party Advisory | |
| cve@mitre.org | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/insecurity/status/862154908895780864 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7A015E6-3AFD-4A33-AA69-172D6161DCD1",
"versionEndIncluding": "4.1.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18: admin/convertutf8/index.php?controller= is the attack vector. This UTF8 Converter vulnerability can easily be used to make a malicious announcement affecting any Invision Power Board user who views the announcement."
},
{
"lang": "es",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 y anteriores tiene XSS reflejado previo a la autenticaci\u00f3n en el IPS UTF8 Converter v1.1.18: El vector de ataque es admin/convertutf8/index.php?Controller=. Esta vulnerabilidad del UTF8 Converter puede usarse f\u00e1cilmente para hacer un anuncio malicioso que afecte a cualquier usuario de Invision Power Board que vea el anuncio."
}
],
"id": "CVE-2017-8897",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-11T17:29:00.160",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-11-18 23:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | 3.0.0 | |
| invisioncommunity | invision_power_board | 3.0.1 | |
| invisioncommunity | invision_power_board | 3.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FBBD7C1D-B47C-4B37-AE5D-1366B8B4C178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "35249591-FDF5-48F3-904C-4DB85C9D9457",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7853C134-A1E1-4366-8BCB-12538BBA6E3F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Invision Power Board (IPB or IP.Board) v3.0.0, v3.0.1 y v3.0.2, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) \"search_term\" a admin/applications/core/modules_public/search/search.php y(2) \"aid\" to admin/applications/core/modules_public/global/lostpass.php. NOTA: en el 18/08/2009, el fabricante parche\u00f3 la v3.0.2 sin modificar la versi\u00f3n del producto."
}
],
"id": "CVE-2009-3974",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-11-18T23:30:00.717",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2413"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2413"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-11 17:29
Modified
2025-04-20 01:37
Severity ?
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://twitter.com/insecurity/status/862154908895780864 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/insecurity/status/862154908895780864 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7A015E6-3AFD-4A33-AA69-172D6161DCD1",
"versionEndIncluding": "4.1.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation."
},
{
"lang": "es",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 y anteriores tienen un XSS almacenado y un problema de fuga de informaci\u00f3n en la funcionalidad de adjuntos en User CP. Puede ser utilizada por cualquier usuario Invision Power Board para ganar acceso a cuentas moderador/admin. La causa principal de este problema es la posibilidad de cargar documentos SVG con un atributo manipulado, como onload."
}
],
"id": "CVE-2017-8899",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-11T17:29:00.253",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-03 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99FFCEE5-2A51-4D4A-A04E-74DA1A9EA7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "784BFFC7-C237-47ED-AAE2-E6380427473A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "1F58948C-552A-404B-94FE-D80869593E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "6008A365-6856-4A7D-AD7C-8614B5BEEE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C4F1DDBB-5896-4026-8EBF-4934F13576D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "AEE3DB7A-530E-48D9-BA57-BFB524A203F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "6BDB1057-2279-4CC3-8CFB-69B10F772440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5AE613CF-1CEA-4B3E-9906-DD3B8C7CBCF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7D0EFE0-6468-4EBB-9AF6-A84B57531ED5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96CAB4DC-6817-4BB8-8665-B06861D67B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "15F22F32-1FDB-469D-9478-49EBBDCB97B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4A777CF4-9BCE-49D4-9248-6BAA1966B1DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "55C99849-81C5-45A5-B3B8-0BFF62BF19C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "83C25B54-AE40-4E6C-8969-6EFAD0C75604",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "E81E98C8-E959-4E48-8BC1-118EF2CE7AB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "AD21C54B-0118-4CD6-B0BF-5CBB31BC4BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "2DBFC487-CADD-4410-8817-FD58DED0E5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "FBA34B41-7997-4A52-8D78-E0BFD798C4BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "73D08920-9F21-442A-BCE3-282EB724ED16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C8719C2-4F1C-43A2-9476-AABE1E30E32C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9743ACA1-6623-4A88-85E1-BBB51906D1FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "45415FB5-9CC7-4144-ACEE-E5DFB13AC6DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "571CA374-11A2-44A9-B007-3F3D4247884A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D52D8713-B5BA-43C2-BC46-02A2CD3950CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "146F423D-D5A6-475F-9B82-3F70FAF03F30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el servicio IPS Connect (interface/ipsconnect/ipsconnect.php) en Invision Power Board (tambi\u00e9n conocido como IPB o IP.Board) 3.3.x y 3.4.x hasta 3.4.7 anterior a 20141114 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro id[]."
}
],
"id": "CVE-2014-9239",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-03T21:59:08.963",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Nov/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://community.invisionpower.com/blogs/entry/9704-active-security-exploit/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Nov/20"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-09-16 22:00
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | 3.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB4BBA21-CF90-4436-92F7-07D2254A5E7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en admin/sources/classes/bbcode/custom/defaults.php en Invision Power Board (IP.Board) v3.1.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2010-3424",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-09-16T22:00:03.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41314"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/43053"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41314"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/43053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2328"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-03 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99FFCEE5-2A51-4D4A-A04E-74DA1A9EA7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "784BFFC7-C237-47ED-AAE2-E6380427473A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "1F58948C-552A-404B-94FE-D80869593E2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "6008A365-6856-4A7D-AD7C-8614B5BEEE18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C4F1DDBB-5896-4026-8EBF-4934F13576D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "AEE3DB7A-530E-48D9-BA57-BFB524A203F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "6BDB1057-2279-4CC3-8CFB-69B10F772440",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5AE613CF-1CEA-4B3E-9906-DD3B8C7CBCF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7D0EFE0-6468-4EBB-9AF6-A84B57531ED5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96CAB4DC-6817-4BB8-8665-B06861D67B4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "15F22F32-1FDB-469D-9478-49EBBDCB97B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4A777CF4-9BCE-49D4-9248-6BAA1966B1DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "55C99849-81C5-45A5-B3B8-0BFF62BF19C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "83C25B54-AE40-4E6C-8969-6EFAD0C75604",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "E81E98C8-E959-4E48-8BC1-118EF2CE7AB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "AD21C54B-0118-4CD6-B0BF-5CBB31BC4BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "2DBFC487-CADD-4410-8817-FD58DED0E5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "FBA34B41-7997-4A52-8D78-E0BFD798C4BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "73D08920-9F21-442A-BCE3-282EB724ED16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C8719C2-4F1C-43A2-9476-AABE1E30E32C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9743ACA1-6623-4A88-85E1-BBB51906D1FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "45415FB5-9CC7-4144-ACEE-E5DFB13AC6DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "571CA374-11A2-44A9-B007-3F3D4247884A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D52D8713-B5BA-43C2-BC46-02A2CD3950CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE3309A2-7A86-4329-AAEC-B4DF3F07D8A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "66328372-F96F-4D2F-9C40-2F496CB7FF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BCC3D41B-97DB-49CD-AB03-70E57E315EF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1433CDF0-81F0-4F19-A690-3F8CAF9218A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "37E30710-C68D-48A7-AEC6-B90C3F827FA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB5DFDCA-5F55-4DF8-973D-812A6F2A56E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D1288A3F-BC57-405A-A1E9-1C7496C659C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1DD12849-5960-4614-9ABC-37E63EE0CD64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "41F73B12-249D-46B7-82B4-BD9B30C772FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:ip.nexus:1.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C7A3D453-8B96-483B-AE42-D885A3792FB7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Invision Power IP.Board (tambi\u00e9n conocido como IPB o Power Board) 3.3.x y 3.4.x hasta 3.4.6, descargado antes del 20140424, o IP.Nexus 1.5.x hasta 1.5.9, descargado antes del 20140424, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3149",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-03T14:55:07.020",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/532618/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/67164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.christian-schneider.net/advisories/CVE-2014-3149.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/532618/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67164"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-23 15:59
Modified
2025-04-20 01:37
Severity ?
Summary
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6548AE67-644C-4CC9-AB15-AE98E50F0A1C",
"versionEndIncluding": "4.1.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation."
},
{
"lang": "es",
"value": "Invision Power Services (IPS) Community Suite en versiones anteriores a 4.1.9 hace m\u00e1s f\u00e1cil el secuestro de sesi\u00f3n confiando en la funci\u00f3n uniqid de PHP sin el indicador more_entropy. Los atacantes pueden adivinar una cookie de sesi\u00f3n de Invision Power Board si pueden predecir el tiempo exacto de la generaci\u00f3n de cookie"
}
],
"id": "CVE-2016-2564",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-23T15:59:00.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisionpower.com/release-notes/419-r37/"
},
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisionpower.com/release-notes/419-r37/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-331"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-12 19:15
Modified
2024-11-21 01:54
Severity ?
Summary
Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "342D5A2D-BD25-41B4-8821-04DA8A7D5F92",
"versionEndExcluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution."
},
{
"lang": "es",
"value": "Invision Power Board (IPB) versiones hasta 3.x, permite la toma de control de la cuenta de administrador conllevando a una ejecuci\u00f3n de c\u00f3digo."
}
],
"id": "CVE-2013-3725",
"lastModified": "2024-11-21T01:54:11.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T19:15:13.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "http://www.john-jean.com/blog/securite-informatique/ipb-invision-power-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execution-742"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-09 21:15
Modified
2024-11-21 01:38
Severity ?
Summary
Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/52998 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/74855 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/52998 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/74855 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEABDB54-DBCA-4D1D-B8D9-A81E16F22ABF",
"versionEndExcluding": "3.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file."
},
{
"lang": "es",
"value": "Invision Power Board versiones anteriores a 3.3.1, no logra sanear las entradas suministradas por el usuario, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n confidencial o ejecutar c\u00f3digo arbitrario mediante la carga de un archivo malicioso."
}
],
"id": "CVE-2012-2226",
"lastModified": "2024-11-21T01:38:44.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-09T21:15:11.043",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/52998"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/52998"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74855"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-11 17:29
Modified
2025-04-20 01:37
Severity ?
Summary
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://twitter.com/insecurity/status/862154908895780864 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://zeroday.insecurity.zone/exploits/ipb_owned.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/insecurity/status/862154908895780864 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/sxcurity/status/862284967715381248 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7A015E6-3AFD-4A33-AA69-172D6161DCD1",
"versionEndIncluding": "4.1.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/\u0026action=create request. This is related to the \"\u003c\u003e Source\" option."
},
{
"lang": "es",
"value": "Invision Power Services (IPS) Community Suite 4.1.19.2 y anteriores tienen un XSS almacenado en Announcements, permitiendo escalada de privilegios desde un moderador Invision Power Board hasta admin. El ataque utiliza el par\u00e1metro announce_content en una petici\u00f3n index.php?/modcp/announcements/\u0026action=create."
}
],
"id": "CVE-2017-8898",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-11T17:29:00.207",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/insecurity/status/862154908895780864"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://twitter.com/sxcurity/status/862284967715381248"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-17 23:15
Modified
2024-11-21 06:19
Severity ?
Summary
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://invisioncommunity.com/release-notes/4651-r102/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://invisioncommunity.com/release-notes/4651-r102/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11BFD544-1F71-48B6-909E-7E54E71C6528",
"versionEndExcluding": "4.6.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML)."
},
{
"lang": "es",
"value": "Invision Community (tambi\u00e9n se conoce como IPS Community Suite o IP-Board) versiones anteriores a 4.6.5.1 permite un ataque de tipo XSS almacenado, con la consiguiente ejecuci\u00f3n de c\u00f3digo, porque un archivo cargado puede colocarse en un elemento IFRAME dentro del contenido generado por el usuario. Para la ejecuci\u00f3n de c\u00f3digo, el atacante puede confiar en la habilidad de un administrador para instalar widgets, la divulgaci\u00f3n del ID de sesi\u00f3n del administrador en un encabezado Referer, y la habilidad de un administrador para usar el motor de plantillas (por ejemplo, Editar HTML)."
}
],
"id": "CVE-2021-39250",
"lastModified": "2024-11-21T06:19:01.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-17T23:15:07.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://invisioncommunity.com/release-notes/4651-r102/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-13 15:15
Modified
2024-11-21 01:11
Severity ?
Summary
Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * | |
| microsoft | internet_explorer | 5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EAB12B9-5B60-480D-8B66-9CEE4AC68551",
"versionEndIncluding": "3.0.4",
"versionStartIncluding": "2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:internet_explorer:5:*:*:*:*:*:*:*",
"matchCriteriaId": "B4071D03-D955-4C1B-ACD8-A864F7D0FA02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment."
},
{
"lang": "es",
"value": "Invision Power Board (tambi\u00e9n se conoce como IPB o IP.Board) versiones 2.x hasta 3.0.4, cuando Internet Explorer 5 es usado, permite un ataque de tipo XSS por medio de un archivo adjunto .txt."
}
],
"id": "CVE-2009-5159",
"lastModified": "2024-11-21T01:11:18.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-13T15:15:11.093",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/33394"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/37263/info"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/300051-invision-power-board-305-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/83624/Invision-Power-Board-3.0.4-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/33394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/37263/info"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-10-31 10:50
Modified
2025-04-11 00:51
Severity ?
Summary
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | 3.1.2 | |
| invisioncommunity | invision_power_board | 3.3.0 | |
| invisionpower | invision_power_board | 3.1.0 | |
| invisionpower | invision_power_board | 3.1.1 | |
| invisionpower | invision_power_board | 3.1.3 | |
| invisionpower | invision_power_board | 3.1.4 | |
| invisionpower | invision_power_board | 3.2.0 | |
| invisionpower | invision_power_board | 3.2.1 | |
| invisionpower | invision_power_board | 3.2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EB4BBA21-CF90-4436-92F7-07D2254A5E7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99FFCEE5-2A51-4D4A-A04E-74DA1A9EA7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3CD8FD32-9EE5-49E7-A322-EE30ABF51880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3EB6D987-906E-4593-B054-6AF3FC2B4F8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AB16D2F4-C188-41DC-AC4C-9EC7AE00E27C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F94EB139-3EEB-4EFA-94A2-D9C3C2159F5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B7268AFC-DC6D-4A24-8384-E08AC91668D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2DA35C-2B52-49DD-B6D2-3CB9F1E92EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisionpower:invision_power_board:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0A7602AF-F56E-40C3-B5DE-4029F6AD19E2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad no espec\u00edfica en admin/sources/base/core.php en Invision Power Board (tambi\u00e9n conocido como IPB o IP.Board) v3.1.x hasta v3.3.x tiene un impacto y vectores de ataque desconocidos."
}
],
"id": "CVE-2012-5692",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-10-31T10:50:32.560",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51104"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/56288"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56288"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-28 15:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.0 | |
| invisioncommunity | invision_power_board | 3.4.1 | |
| invisioncommunity | invision_power_board | 3.4.2 | |
| invisioncommunity | invision_power_board | 3.4.3 | |
| invisioncommunity | invision_power_board | 3.4.4 | |
| invisioncommunity | invision_power_board | 3.4.5 | |
| invisioncommunity | invision_power_board | 3.4.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4A777CF4-9BCE-49D4-9248-6BAA1966B1DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "55C99849-81C5-45A5-B3B8-0BFF62BF19C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "83C25B54-AE40-4E6C-8969-6EFAD0C75604",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "E81E98C8-E959-4E48-8BC1-118EF2CE7AB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "AD21C54B-0118-4CD6-B0BF-5CBB31BC4BED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "2DBFC487-CADD-4410-8817-FD58DED0E5E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "FBA34B41-7997-4A52-8D78-E0BFD798C4BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "73D08920-9F21-442A-BCE3-282EB724ED16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C8719C2-4F1C-43A2-9476-AABE1E30E32C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9743ACA1-6623-4A88-85E1-BBB51906D1FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "45415FB5-9CC7-4144-ACEE-E5DFB13AC6DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "571CA374-11A2-44A9-B007-3F3D4247884A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:3.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D52D8713-B5BA-43C2-BC46-02A2CD3950CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Invision Power IP.Board (tambi\u00e9n conocido como IPB or Power Board) 3.4.x hasta 3.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de la cabecera HTTP Referer en admin/install/index.php."
}
],
"id": "CVE-2014-5106",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-28T15:55:03.960",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/532822/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/68705"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/532822/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/68705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94693"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-02 01:29
Modified
2024-11-21 04:49
Severity ?
Summary
Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnerability@kaspersky.com | http://www.securityfocus.com/bid/107258 | Third Party Advisory, VDB Entry | |
| vulnerability@kaspersky.com | https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/107258 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3EDBCD3A-9687-44EC-BFBF-04914B1A77EC",
"versionEndIncluding": "3.4.8",
"versionStartIncluding": "3.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution."
},
{
"lang": "es",
"value": "Cross-Site Scripting (XSS) persistente en Invision Power Board, desde la versi\u00f3n 3.3.1 hasta la 3.4.8, conduce a la ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2019-8278",
"lastModified": "2024-11-21T04:49:38.203",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-02T01:29:00.307",
"references": [
{
"source": "vulnerability@kaspersky.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107258"
},
{
"source": "vulnerability@kaspersky.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107258"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://scriptinjection.blogspot.com/2019/02/invision-power-board-331-348-stored-xss.html"
}
],
"sourceIdentifier": "vulnerability@kaspersky.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-07-12 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invisioncommunity | invision_power_board | * | |
| php | php | * | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.0 | |
| php | php | 5.5.1 | |
| php | php | 5.5.2 | |
| php | php | 5.5.3 | |
| php | php | 5.5.4 | |
| php | php | 5.5.5 | |
| php | php | 5.5.6 | |
| php | php | 5.5.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D607E4-0869-4C7C-9E08-76CD380D338A",
"versionEndIncluding": "4.1.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A081943C-9504-493E-AF3C-43328E269AAB",
"versionEndIncluding": "5.4.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F6D9B19-E64D-4BED-9194-17460CE19E6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "3D25E591-448C-4E3B-8557-6E48F7571796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "6DA18F3F-B4B5-40C3-BF19-67C1F0C1787D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "3AF783C9-26E7-4E02-BD41-77B9783667E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EF49701D-ECE4-4CEB-BDAB-24C09C8AD4B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "7AEDF6F7-001D-4A35-A26F-417991AD377F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "4031DB99-B4B4-41EC-B3C1-543D92C575A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "D5450EA7-A398-49D2-AA8E-7C95B074BAB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "04FE0E4E-BC94-4DC9-BE9B-DC57B952B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "BB8E09D8-9CBE-4279-88B7-24A214A5A537",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "2D41ECCE-887D-49A2-9BB3-B559495AC55B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "79B418BC-27F4-4443-A0F7-FF4ADA568C1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "8EEBDF62-BA1B-4438-9AEA-8B56AA5713E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F644EA6C-50C6-4A1C-A4AC-287AA9477B46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4DD47F30-74F5-48E8-8657-C2373FE2BD22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0C09527B-6B47-41F8-BDE6-01C47E452286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2E454D87-23CB-4D7F-90FE-942EE54D661F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1031E646-F2CF-4A3E-8E6A-5D4BC950BEDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "130E50C1-D209-4CFF-9399-69D561340FBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:php:php:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "C1F29948-9417-460B-8B04-D91AE4E8B423",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter."
},
{
"lang": "es",
"value": "applications/core/modules/front/system/content.php en Invision Power Services IPS Community Suite (tambi\u00e9n conocido como Invision Power Board, IPB o Power Board) en versiones anteriores a 4.1.13, cuando se utiliza con PHP en versiones anteriores a 5.4.24 o 5.5.x en versiones anteriores a 5.5.8, permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro content_class."
}
],
"id": "CVE-2016-6174",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-07-12T19:59:09.567",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2016-11"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2016/Jul/19"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/91732"
},
{
"source": "cve@mitre.org",
"url": "https://invisionpower.com/release-notes/4113-r44/"
},
{
"source": "cve@mitre.org",
"url": "https://support.apple.com/HT207170"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/40084/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2016-11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2016/Jul/19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/91732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://invisionpower.com/release-notes/4113-r44/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.apple.com/HT207170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/40084/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}