Mr.Snake

**Name of the Vulnerable Software and Affected Versions** Invision Power Board versions 2.1.6 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via a POST that contains hexadecimal-encoded HTML. **Recommendations** For versions 2.1.6 and earlier, update to a version later than 2.1.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Invision Power Board version 2.1.5 **Description** The issue concerns a SQL injection vulnerability in the topic deletion functionality, specifically in the post delete function located in func mod.php. This vulnerability allows remote authenticated moderators to execute arbitrary SQL commands. The vulnerability is exploited via the `selectedpids` parameter, which can bypass an integer value check when the `$id` variable is an array. **Recommendations** For Invision Power Board version 2.1.5, consider disabling the post delete function in func mod.php as a temporary workaround until a patch is available. Restrict access to the `selectedpids` parameter in the topic deletion functionality to minimize the risk of exploitation.