Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24054
HistoryJun 14, 2010 - 12:00 a.m.

[MajorSecurity SA-069]Invision Power Board - stored Cross site Scripting

2010-06-1400:00:00
vulners.com
25
JSON

[MajorSecurity SA-069]Invision Power Board - stored Cross site Scripting

Details

Product: Invision Power Board
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.invisionpower.com
Vendor-Status: informed
Advisory-Status: published

Credits

Discovered by: David Vieira-Kurz
http://www.majorsecurity.info/penetrationstest.php

Affected Products:

Invision Power Board 3.0.5 and prior

Introduction

Invision Power Board is a widely used forums script.

More Details

Input passed to the calendar app (which is one of the core modules inside invision power
board) is not properly sanitised before being stored and returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
The calendar can be shown on every page of the invision board, so that in fact this is a
serious security issue.

Solution

Web applications should never trust on user generated input and therefore sanatize all
input.

MajorSecurity

MajorSecurity is a German penetrationtesting and security research company which focuses
on web application security. We offer professional penetrationstest, security audits,
source code reviews.

JSON