cbcvebase.
CVE-2016-6174
published 2016-07-12

CVE-2016-6174: applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before…

PriorityP264high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
12.29%
95.7th percentile
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.

Affected

11 ranges
VendorProductVersion rangeFixed in
applemacos_sierra
invisioncommunityinvision_power_board<= 4.1.12.3
phpphp<= 5.4.23
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*
pathapplications/core/modules/front/system/content.php
path/applications/cms/Application.php
  • Monitor HTTP requests for the 'content_class' parameter containing namespace separator characters, curly braces, or PHP function calls (e.g. 'cms\Fields' followed by digits and injected PHP code), targeting the endpoint app=core&module=system&controller=content&do=find
  • Alert on HTTP requests where 'content_class' parameter value matches the pattern 'cms\Fields<digit>{...}' as this triggers the vulnerable eval() code path in Application.php
  • Exploitation is only possible against IPS Community Suite running on PHP < 5.4.24 or PHP 5.5.x < 5.5.8; fingerprint target PHP version to prioritize triage
  • ·Exploitation requires the CMS application to be installed and active, as the vulnerable autoloader is defined in /applications/cms/Application.php — instances without the CMS app are not exploitable via this vector
  • ·The vulnerability is only exploitable on PHP versions before 5.4.24 or 5.5.x before 5.5.8; modern PHP versions are not affected
  • ·The attack is unauthenticated — no session or login is required for exploitation

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.