CVE-2009-3974 — SQL Injection in Invision Power Board

CWE-89 — SQL Injection3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 45.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Invisioncommunity Invision Power Board

Timeline

PublishedNov 18

Latest updateMay 2

Description

Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDinvisioncommunity/invision_power_board3.0.0, 3.0.1, 3.0.2+2

Patches

Patch: www.vupen.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-cpv9-v2q3-7qjr: Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP↗2022-05-02

▶

CVEList

CVE-2009-3974: Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP↗2009-11-18

▶