Title: Invision Power Board SSI.PHP Cross-Site Scripting Vulnerability
Severity: MODERATE
Description:
Invision Board is web forum software. It is implemented in PHP and is available for Unix and Linux variants and Microsoft Windows operating systems.
Invision Power Board 'ssi.php' script reported prone to a cross-site scripting vulnerability.
The issue presents itself due to a lack of sufficient sanitization performed by functions in the 'ssi.php' script on user-influenced 'f' parameter. It is reported that a remote attacker may construct a malicious link to the script hosted on a remote site, and supply arbitrary HTML code as a value for the 'f' URI parameter. If a user follows the link, the contents of the 'f' parameter render in the browser of the user.
This can permit the theft of cookie-based authentication credentials; other attacks may also be possible.
Affected Products:
- Invision Power Services Invision Board 1.3.0 Final
References:
- Invision Power Services: Invision Board Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
