{"api_version":"1","generated_at":"2026-04-29T12:11:59+00:00","cve":"CVE-2017-8898","urls":{"html":"https://cve.report/CVE-2017-8898","api":"https://cve.report/api/cve/CVE-2017-8898.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-8898","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-8898"},"summary":{"title":"CVE-2017-8898","description":"Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-05-11 17:29:00","updated_at":"2020-06-03 14:55:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://twitter.com/sxcurity/status/862284967715381248","name":"https://twitter.com/sxcurity/status/862284967715381248","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Corben Leo na Twitterze: \"Payload could be something like this: … \"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://zeroday.insecurity.zone/exploits/ipb_owned.txt","name":"http://zeroday.insecurity.zone/exploits/ipb_owned.txt","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"","mime":"text/plain","httpstatus":"-1","archivestatus":"200"},{"url":"https://twitter.com/insecurity/status/862154908895780864","name":"https://twitter.com/insecurity/status/862154908895780864","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"PROJECT INSECURITY na Twitterze: \"[EXPLOIT] IPB Forum (4x: Current) - Reflected/Stored XSS + CSRF + FPD + Malicious file upload + ACP->Shell\n\nwriteup: https://t.co/5XEw98fIVk… https://t.co/RqpG6zDfzW\"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-8898","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-8898","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"8898","vulnerable":"1","versionEndIncluding":"4.1.19.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"invisioncommunity","cpe5":"invision_power_board","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-8898","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://zeroday.insecurity.zone/exploits/ipb_owned.txt","refsource":"MISC","url":"http://zeroday.insecurity.zone/exploits/ipb_owned.txt"},{"name":"https://twitter.com/insecurity/status/862154908895780864","refsource":"MISC","url":"https://twitter.com/insecurity/status/862154908895780864"},{"name":"https://twitter.com/sxcurity/status/862284967715381248","refsource":"MISC","url":"https://twitter.com/sxcurity/status/862284967715381248"}]}},"nvd":{"publishedDate":"2017-05-11 17:29:00","lastModifiedDate":"2020-06-03 14:55:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*","versionEndIncluding":"4.1.19.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"8898","Ordinal":"105837","Title":"CVE-2017-8898","CVE":"CVE-2017-8898","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"8898","Ordinal":"1","NoteData":"Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"8898","Ordinal":"2","NoteData":"2017-05-11","Type":"Other","Title":"Published"}]}}}