CVE-2015-6810 – Invision Power Board (IP.Board) 4.x - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-6810
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_location[address] array parameter to calendar/submit/. Vulnerabilidad de XSS en Invision Power Services IPS Community Suite (también conocido como Invision Power Board, IPB o Power Board) 4.x en versiones anteriores a 4.0.12.1, permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro del vector event_location[address] a calendar/submit/ • https://www.exploit-db.com/exploits/37989 https://community.invisionpower.com/release-notes/40121-r22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9239
https://notcve.org/view.php?id=CVE-2014-9239
SQL injection vulnerability in the IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) 3.3.x and 3.4.x through 3.4.7 before 20141114 allows remote attackers to execute arbitrary SQL commands via the id[] parameter. Vulnerabilidad de inyección SQL en el servicio IPS Connect (interface/ipsconnect/ipsconnect.php) en Invision Power Board (también conocido como IPB o IP.Board) 3.3.x y 3.4.x hasta 3.4.7 anterior a 20141114 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id[]. • http://community.invisionpower.com/blogs/entry/9704-active-security-exploit http://community.invisionpower.com/blogs/entry/9705-ipboard-33x-34x-security-update http://seclists.org/fulldisclosure/2014/Nov/20 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-3149
https://notcve.org/view.php?id=CVE-2014-3149
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.3.x and 3.4.x through 3.4.6, as downloaded before 20140424, or IP.Nexus 1.5.x through 1.5.9, as downloaded before 20140424, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Invision Power IP.Board (también conocido como IPB o Power Board) 3.3.x y 3.4.x hasta 3.4.6, descargado antes del 20140424, o IP.Nexus 1.5.x hasta 1.5.9, descargado antes del 20140424, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update http://packetstormsecurity.com/files/127328/IP.Board-3.4.x-3.3.x-Cross-Site-Scripting.html http://www.christian-schneider.net/advisories/CVE-2014-3149.txt http://www.securityfocus.com/archive/1/532618/100/0/threaded http://www.securityfocus.com/bid/67164 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-5692 – Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-5692
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors. Vulnerabilidad no específica en admin/sources/base/core.php en Invision Power Board (también conocido como IPB o IP.Board) v3.1.x hasta v3.3.x tiene un impacto y vectores de ataque desconocidos. • https://www.exploit-db.com/exploits/22686 https://www.exploit-db.com/exploits/22398 https://www.exploit-db.com/exploits/22547 http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update http://secunia.com/advisories/51104 http://www.securityfocus.com/bid/56288 •
CVE-2006-0633
https://notcve.org/view.php?id=CVE-2006-0633
The make_password function in ipsclass.php in Invision Power Board (IPB) 2.1.4 uses random data generated from partially predictable seeds to create the authentication code that is sent by e-mail to a user with a lost password, which might make it easier for remote attackers to guess the code and change the password for an IPB account, possibly involving millions of requests. • http://forums.invisionpower.com/lofiversion/index.php/t200085.html http://www.r-security.net/tutorials/view/readtutorial.php?id=4 • CWE-287: Improper Authentication •