Invision Power Board HTTP POST Request IFRAME Tag XSS

low Nessus Plugin ID 17609

Language:

Synopsis

The remote web server contains a PHP script that is vulnerable to a cross-site scripting attack.

Description

The version of Invision Power Board installed on the remote host does not properly sanitize HTML tags, which enables a remote attacker to inject a malicious IFRAME when posting a message to one of the hosted forums. This could cause arbitrary HTML and script code to be executed in the context of users browsing the forum, which could allow an attacker to steal cookies or misrepresent site content.

Solution

Upgrade to Invision Power Board 2.0.3 or later.

Plugin Details

Severity: Low

ID: 17609

File Name: invision_power_board_iframe_xss.nasl

Version: 1.21

Type: remote

Family: CGI abuses : XSS

Published: 3/24/2005

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 3

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:invisionpower:invision_power_board

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 3/24/2005

Reference Information

CVE: CVE-2005-0886

BID: 12888

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

Detections

Analytics