CVE-2014-3149 =================== "Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "Invision Power IP.Board" product Vendor =================== Invision Power Services Inc. Product =================== IP.Board "IP.Board is the leading solution for creating an engaging discussion forum on the web. Trusted by thousands of forums, large and small." - source: https://www.invisionpower.com/apps/board/ Affected versions =================== This vulnerability affects versions of IP.Board prior 3.4.6 as well as versions 3.3.x Patch =================== The vendor has released patches for versions 3.4.x and 3.3.x at http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/ Reported by =================== This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process. Severity =================== Low Exploitability =================== Clickjacking or social engineering required Description =================== Using a specially crafted request to access the web forum software IP.Board it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. Due to a token-based CSRF protection the actual exploitation is somewhat limited, since attackers have to trick victims (using Clickjacking or social engineering) into submitting an attacker supplied content. Proof of concept =================== Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory. References =================== http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/ http://www.christian-schneider.net/advisories/CVE-2014-3149.txt