PT-2017-8055 · Invision Power Services · Invision Power Services Community Suite

Published

2017-04-23

Updated

2020-06-03

CVE-2016-2564

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Invision Power Services (IPS) Community Suite versions prior to 4.1.9

Description The issue makes session hijack easier by relying on the PHP uniqid function without the more entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.

Recommendations For versions prior to 4.1.9, update to version 4.1.9 or later to resolve the issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-331

Related Identifiers

CVE-2016-2564

Affected Products

Invision Power Services Community Suite

PT-2017-8055 · Invision Power Services · Invision Power Services Community Suite

CVE-2016-2564

Weakness Enumeration

Related Identifiers

Affected Products

References · 5