Skip to main content

Invision Power Board CVE-2019-8278

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2019-03-02 vulnerability@kaspersky.com
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 02, 2019 - 01:29 nvd
MEDIUM 6.1

DescriptionNVD

Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution.

AnalysisAI

Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Remote Code Execution. Affected products include: Invisioncommunity Invision Power Board.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2012-5692 CRITICAL POC
10.0 Oct 31

Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3

CVE-2016-6174 HIGH POC
8.1 Jul 12

applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Bo

CVE-2017-8898 CRITICAL POC
9.8 May 11

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privile

CVE-2017-8899 HIGH POC
8.1 May 11

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclos

CVE-2014-9239 HIGH POC
7.5 Dec 03

SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (ak

CVE-2017-8897 MEDIUM POC
6.1 May 11

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has pre-auth reflected XSS in the IPS UTF8 Converter

CVE-2021-39249 MEDIUM POC
6.1 Aug 17

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of up

CVE-2021-39250 MEDIUM POC
5.4 Aug 17

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution

CVE-2015-6812 HIGH
7.8 Sep 04

Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remot

CVE-2015-6810 LOW POC
3.5 Sep 04

Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB,

CVE-2016-2564 MEDIUM
5.9 Apr 23

Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid func

CVE-2014-3149 MEDIUM
4.3 Jul 03

Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4

Share

CVE-2019-8278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy