CVE-2017-8899
published 2017-05-11CVE-2017-8899: Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature…
PriorityP339high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
1.48%
70.7th percentile
Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| invisioncommunity | invision_power_board | <= 4.1.19.2 | — |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://zeroday.insecurity.zone/exploits/ipb_owned.txthttps://twitter.com/insecurity/status/862154908895780864https://twitter.com/sxcurity/status/862284967715381248http://zeroday.insecurity.zone/exploits/ipb_owned.txthttps://twitter.com/insecurity/status/862154908895780864https://twitter.com/sxcurity/status/862284967715381248
2017-05-11
Published