CVE-2017-8899

Name of the Vulnerable Software and Affected Versions Invision Power Services (IPS) Community Suite versions 4.1.19.2 and earlier

Description The issue is related to Stored XSS and Information Disclosure in the attachments feature found in User CP. It can be triggered by any Invision Power Board user, potentially allowing access to moderator or admin accounts. The exploitation is possible through uploading an SVG document with a crafted attribute, such as onload. However, full path disclosure is required for successful exploitation.

Recommendations For versions 4.1.19.2 and earlier, consider restricting the upload of SVG documents or disabling the attachments feature in User CP until a fix is available. As a temporary workaround, restrict access to the moderator and admin accounts to minimize the risk of exploitation.