Vulnerability CVE-2007-4914
Published: 2007-09-17   Modified: 2012-02-12

Description:
Unspecified vulnerability in the subscriptions manager in Invision Power Board (IPB or IP.Board) 2.3.1 before 20070912 allows remote authenticated users to change the member ID and reduce the privilege level of arbitrary users via a crafted payment form, related to (1) class_gw_2checkout.php, (2) class_gw_authorizenet.php, (3) class_gw_nochex.php, (4) class_gw_paypal.php, and (5) class_gw_safshop.php in sources/classes/paymentgateways/.

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6/10
6.4/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Invision power services -> Invision power board 

 References:
http://forums.invisionpower.com/index.php?showtopic=237075
http://forums.invisionpower.com/index.php?act=attach&type=post&id=11870
http://xforce.iss.net/xforce/xfdb/36590
http://www.securityfocus.com/bid/25656
http://secunia.com/advisories/26788
http://osvdb.org/41323
http://osvdb.org/41322
http://osvdb.org/41321
http://osvdb.org/41320
http://osvdb.org/41319
Copyright 2024, cxsecurity.com

 

Back to Top