# Exploit Title: IP.Board 4.X Stored XSS # Date: 27-08-2015 # Software Link: https://www.invisionpower.com/ # Exploit Author: snop. # Contact: http://twitter.com/rabbitz_org # Website: http://rabbitz.org # Category: webapps 1. Description A registered or non-registered user can create a calendar event including malicious JavaScript code who will be permanently stored in the pages source. 2. Proof of Concept http://URL_TO_FORUM/calendar/submit/?calendar=1 POST: Affected Paramter: event_location[address][] 3. Solution Update to version 4.0.12.1 https://community.invisionpower.com/release-notes/40121-r22/ Disclosure Timeline 27.07.15: Vendor notified 05.08.15: Fix released 27.08.15: Public disclosure