Invision Power Board User Profile And Subscription Manager Multiple Input Validation Vulnerabilities

Bugtraq ID:	25656
Class:	Input Validation Error
CVE:	CVE-2007-4914 CVE-2007-4912
Remote:	Yes
Local:	No
Published:	Sep 13 2007 12:00AM
Updated:	Jul 06 2016 02:17PM
Credit:	The vendor credits http://www.turkish-media.com/forum/ and http://communityseo.com/forums/ with the discovery of these issues.
Vulnerable:	Invision Power Services Invision Power Board 2.2.2 Invision Power Services Invision Power Board 2.2.1 Invision Power Services Invision Power Board 2.2 Invision Power Services Invision Power Board 2.1.6 Invision Power Services Invision Power Board 2.1.5.2006.04.25 Invision Power Services Invision Power Board 2.1.5.2006.03.08
Not Vulnerable:	Invision Power Services Invision Power Board 2.3.1

Invision Power Board User Profile And Subscription Manager Multiple Input Validation Vulnerabilities

Invision Power Board (IP.Board) is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input.

Attackers can exploit these issues to inject arbitrary script code into a user profile or to modify the privileges of arbitrary user accounts. Injected code will be stored persistently on the affected site.

IP.Board 2.3.1 is vulnerable; other versions may also be affected.

Invision Power Board User Profile And Subscription Manager Multiple Input Validation Vulnerabilities

An attacker can exploit these issues via a browser.

Invision Power Board User Profile And Subscription Manager Multiple Input Validation Vulnerabilities

Solution:
The vendor released a patch to address these issues. Please see the references for more information.

Invision Power Board User Profile And Subscription Manager Multiple Input Validation Vulnerabilities

References:

• Invision Board Homepage (Invision Power Services)
  
• IP.Board Security Enhancements (Invision Power Services)