Back to list
CVE-2014-3149 - Reflected Cross-Site Scripting (XSS) in "Invision Power IP.Board"
Jul 01 2014 07:26PM
Christian Schneider (mail Christian-Schneider net)
-----BEGIN PGP SIGNED MESSAGE-----
"Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "Invision Power IP.Board" product
Invision Power Services Inc.
"IP.Board is the leading solution for creating an engaging discussion forum on the web.
Trusted by thousands of forums, large and small." - source: https://www.invisionpower.com/apps/board/
This vulnerability affects versions of IP.Board prior 3.4.6 as well as versions 3.3.x
The vendor has released patches for versions 3.4.x and 3.3.x at
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Clickjacking or social engineering required
Using a specially crafted request to access the web forum software IP.Board it
is possible to execute Reflected Cross-Site Scripting (XSS) attacks. Due to a
token-based CSRF protection the actual exploitation is somewhat limited, since
attackers have to trick victims (using Clickjacking or social engineering)
into submitting an attacker supplied content.
Proof of concept
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus