PT-2017-18607 · Invision Power Services · Invision Power Board+2
Published
2017-05-11
·
Updated
2020-06-03
·
CVE-2017-8897
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Invision Power Services (IPS) Community Suite versions 4.1.19.2 and earlier
Description
The issue concerns a pre-auth reflected XSS in the IPS UTF8 Converter v1.1.18. The attack vector is the "admin/convertutf8/index.php?controller=" endpoint. This vulnerability can be exploited to create a malicious announcement that affects any Invision Power Board user who views the announcement.
Recommendations
For Invision Power Services (IPS) Community Suite versions 4.1.19.2 and earlier, consider disabling the IPS UTF8 Converter v1.1.18 until a patch is available to prevent exploitation of the reflected XSS vulnerability. Restrict access to the "admin/convertutf8/index.php?controller=" endpoint to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ips Utf8 Converter
Invision Power Board
Invision Power Services Community Suite