Invision Power Board Unspecified HTML Injection Vulnerability

Bugtraq ID:	52097
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 21 2012 12:00AM
Updated:	Feb 21 2012 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	Invision Power Services Invision Power Board 3.1.4 Invision Power Services Invision Power Board 3.1.3 Invision Power Services Invision Power Board 3.1.2 Invision Power Services Invision Power Board 3.0.5 Invision Power Services Invision Power Board 3.0.3 Invision Power Services Invision Power Board 3.0.2 Invision Power Services Invision Power Board 3.0.1 Invision Power Services Invision Power Board 3.0 b5 Invision Power Services Invision Power Board 3.0 Invision Power Services Invision Power Board 3.0.4 Invision Power Services Invision Power Board 3
Not Vulnerable:

Invision Power Board Unspecified HTML Injection Vulnerability

Invision Power Board is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.

Invision Power Board Unspecified HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Invision Power Board Unspecified HTML Injection Vulnerability

Solution:
The vendor has released patches. Please see the references for more information.

Invision Power Board Unspecified HTML Injection Vulnerability

References:

• Invision Board Homepage (Invision Power Services)
  
• IP.Board Security Update (Invision Power Services)