Invision Power Board CVE-2014-4928 SQL Injection Vulnerability

Bugtraq ID:	104010
Class:	Input Validation Error
CVE:	CVE-2014-4928
Remote:	Yes
Local:	No
Published:	Mar 20 2018 12:00AM
Updated:	Mar 20 2018 12:00AM
Credit:	Jamieson O'Reilly
Vulnerable:	Invisionpower Invision Power Board 3.4.5 Invisionpower Invision Power Board 3.4.4 Invisionpower Invision Power Board 3.4.3 Invisionpower Invision Power Board 3.4.2 Invisionpower Invision Power Board 3.4.1 Invisionpower Invision Power Board 3.4 Invisionpower Invision Power Board 3.3.4 Invisionpower Invision Power Board 3.3.3 Invisionpower Invision Power Board 3.3.2 Invisionpower Invision Power Board 3.3.1
Not Vulnerable:	Invisionpower Invision Power Board 3.4.6

Invision Power Board CVE-2014-4928 SQL Injection Vulnerability

Invision Power Board is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Invision Power Board 3.4.6 are vulnerable.

Invision Power Board CVE-2014-4928 SQL Injection Vulnerability

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

Invision Power Board CVE-2014-4928 SQL Injection Vulnerability

References:

• Invision Power Board - Blind SQL Injection - Bypassing Hardcoded Blacklists (blogspot.com.au)
  
• Invision Power Board Homepage (Invision Power Services )