cnvd - cnvd-2017-06920

cnvd-2017-06920

Vulnerability from cnvd

Title: Invision Power Services Community Suite跨站脚本漏洞（CNVD-2017-06920）

Description:

Invision Power Services (IPS) Community Suite是一个用于在网络上构建社区的集成应用程序。

IPS Community Suite 4.1.19.2及之前的版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞获取版主/管理员账户的访问权限。

Severity: 中

Formal description:

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://invisionpower.com

Reference: http://zeroday.insecurity.zone/exploits/ipb_owned.txt https://twitter.com/insecurity/status/862154908895780864

Impacted products

Name
Invision Power Services IPS Community Suite <=4.1.19.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8899"
    }
  },
  "description": "Invision Power Services (IPS) Community Suite\u662f\u4e00\u4e2a\u7528\u4e8e\u5728\u7f51\u7edc\u4e0a\u6784\u5efa\u793e\u533a\u7684\u96c6\u6210\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nIPS Community Suite 4.1.19.2\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7248\u4e3b/\u7ba1\u7406\u5458\u8d26\u6237\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "Invision Power Services",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://invisionpower.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-06920",
  "openTime": "2017-05-18",
  "products": {
    "product": "Invision Power Services IPS Community Suite \u003c=4.1.19.2"
  },
  "referenceLink": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt\r\nhttps://twitter.com/insecurity/status/862154908895780864",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-17",
  "title": "Invision Power Services Community Suite\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2017-06920\uff09"
}

CVE-2017-8899 (GCVE-0-2017-8899)

Vulnerability from cvelistv5

Published

2017-05-11 17:00

Modified

2024-09-17 00:31

Severity ?

CWE

Summary

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation.

References

▼	URL	Tags
	http://zeroday.insecurity.zone/exploits/ipb_owned.txt	x_refsource_MISC
	https://twitter.com/insecurity/status/862154908895780864	x_refsource_MISC
	https://twitter.com/sxcurity/status/862284967715381248	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:48:22.873Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/insecurity/status/862154908895780864"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/sxcurity/status/862284967715381248"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-05-11T17:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/insecurity/status/862154908895780864"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/sxcurity/status/862284967715381248"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-8899",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt",
              "refsource": "MISC",
              "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"
            },
            {
              "name": "https://twitter.com/insecurity/status/862154908895780864",
              "refsource": "MISC",
              "url": "https://twitter.com/insecurity/status/862154908895780864"
            },
            {
              "name": "https://twitter.com/sxcurity/status/862284967715381248",
              "refsource": "MISC",
              "url": "https://twitter.com/sxcurity/status/862284967715381248"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-8899",
    "datePublished": "2017-05-11T17:00:00Z",
    "dateReserved": "2017-05-11T00:00:00Z",
    "dateUpdated": "2024-09-17T00:31:12.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted