CVE-2006-0633 — Improper Authentication in Invision Power Board

CWE-287 — Improper Authentication4 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.5%

top 33.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Invisionpower Invision Power Board

Timeline

PublishedFeb 10

Latest updateMay 1

Description

The make_password function in ipsclass.php in Invision Power Board (IPB) 2.1.4 uses random data generated from partially predictable seeds to create the authentication code that is sent by e-mail to a user with a lost password, which might make it easier for remote attackers to guess the code and change the password for an IPB account, possibly involving millions of requests.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDinvisionpower/invision_power_board2.1.4

Patches

Patch: www.r-security.net ↗Patch: www.r-security.net ↗

🔴Vulnerability Details

GHSA

GHSA-8g89-7pph-hvr4: The make_password function in ipsclass↗2022-05-01

▶

CVEList

CVE-2006-0633: The make_password function in ipsclass↗2006-02-10

▶

💬Community

Bugzilla

CVE-2006-3743 ImageMagick multiple security issues (CVE-2006-3744)↗2006-08-11

▶