IP.Board 3.4.x / 3.3.x Cross Site Scripting

2014.07.03
Credit: Christian
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVE-2014-3149 =================== "Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "Invision Power IP.Board" product Vendor =================== Invision Power Services Inc. Product =================== IP.Board "IP.Board is the leading solution for creating an engaging discussion forum on the web. Trusted by thousands of forums, large and small." - source: https://www.invisionpower.com/apps/board/ Affected versions =================== This vulnerability affects versions of IP.Board prior 3.4.6 as well as versions 3.3.x Patch =================== The vendor has released patches for versions 3.4.x and 3.3.x at http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/ Reported by =================== This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process. Severity =================== Low Exploitability =================== Clickjacking or social engineering required Description =================== Using a specially crafted request to access the web forum software IP.Board it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. Due to a token-based CSRF protection the actual exploitation is somewhat limited, since attackers have to trick victims (using Clickjacking or social engineering) into submitting an attacker supplied content. Proof of concept =================== Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory. References =================== http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/ http://www.christian-schneider.net/advisories/CVE-2014-3149.txt

References:

http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/
http://www.christian-schneider.net/advisories/CVE-2014-3149.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top