CVE-2010-3424
https://notcve.org/view.php?id=CVE-2010-3424
Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en admin/sources/classes/bbcode/custom/defaults.php en Invision Power Board (IP.Board) v3.1.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://community.invisionpower.com/topic/320838-ipboard-31x-security-patch-released http://secunia.com/advisories/41314 http://www.securityfocus.com/bid/43053 http://www.vupen.com/english/advisories/2010/2328 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-0802 – IPB (nv2) Awards < 1.1.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-0802
SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action. Vulnerabilidad de inyección sQL en index.php en (nv2) Awards v1.1.0, modificado para Invision Power Board, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "id" en una acción view. • https://www.exploit-db.com/exploits/11297 http://packetstormsecurity.org/1001-exploits/ipbawards-sql.txt http://secunia.com/advisories/38407 http://www.exploit-db.com/exploits/11297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-3974
https://notcve.org/view.php?id=CVE-2009-3974
Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number. Múltiples vulnerabilidades de inyección SQL en Invision Power Board (IPB or IP.Board) v3.0.0, v3.0.1 y v3.0.2, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) "search_term" a admin/applications/core/modules_public/search/search.php y(2) "aid" to admin/applications/core/modules_public/global/lostpass.php. NOTA: en el 18/08/2009, el fabricante parcheó la v3.0.2 sin modificar la versión del producto. • http://forums.invisionpower.com/topic/291103-invision-power-board-3-0-2-security-update http://www.vupen.com/english/advisories/2009/2413 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-6565 – Invision Power Board 2.x - 'Signature' iFrame Security
https://notcve.org/view.php?id=CVE-2008-6565
Cross-site scripting (XSS) vulnerability in Invision Power Board 2.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an IFRAME tag in the signature. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Invision Power Board v2.3.1 y anteriores, permite a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección a través de una etiqueta IFRAME en la firma. • https://www.exploit-db.com/exploits/31541 http://www.securityfocus.com/archive/1/490115/100/0/threaded http://www.securityfocus.com/bid/28466 https://exchange.xforce.ibmcloud.com/vulnerabilities/41502 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-4171
https://notcve.org/view.php?id=CVE-2008-4171
SQL injection vulnerability in xmlout.php in Invision Power Board (IP.Board or IPB) 2.2.x and 2.3.x allows remote attackers to execute arbitrary SQL commands via the name parameter. Vulnerabilidad de inyección SQL en xmlout.php en Invision Power Board (IP.Board o IPB) 2.2.x y 2.3.x permite a atacantes remoto ejecutar comandos SQL de su elección a través del parámetro "name". • http://forums.invisionpower.com/index.php?showtopic=276512 http://www.securityfocus.com/bid/31288 http://www.securitytracker.com/id?1020817 http://www.vupen.com/english/advisories/2008/2487 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •