CVE-2007-4914

Name of the Vulnerable Software and Affected Versions: Invision Power Board versions 2.3.1 before 20070912

Description: The issue allows remote authenticated users to change the member ID and reduce the privilege level of arbitrary users via a crafted payment form. This is related to certain PHP classes in the payment gateways directory, specifically class gw 2checkout.php, class gw authorizenet.php, class gw nochex.php, class gw paypal.php, and class gw safshop.php.

Recommendations: For Invision Power Board version 2.3.1 before 20070912, update to a version released after 20070912 to resolve the issue. As a temporary workaround, consider restricting access to the payment form and related PHP classes in the sources/classes/paymentgateways/ directory to minimize the risk of exploitation.