PT-2017-8055 · Invision Power Services · Invision Power Services Community Suite

Publicado

2017-04-23

Atualizado

2020-06-03

CVE-2016-2564

CVSS v3.1

5.9

Média

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Invision Power Services (IPS) Community Suite versions prior to 4.1.9

Description The issue makes session hijack easier by relying on the PHP uniqid function without the more entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.

Recommendations For versions prior to 4.1.9, update to version 4.1.9 or later to resolve the issue.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-331

Identificadores relacionados

CVE-2016-2564

Produtos afetados

Invision Power Services Community Suite

PT-2017-8055 · Invision Power Services · Invision Power Services Community Suite

CVE-2016-2564

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5