CVE-2016-6174

MEDIUM

Description

applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.

References

http://karmainsecurity.com/KIS-2016-11

http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html

http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html

http://seclists.org/fulldisclosure/2016/Jul/19

http://www.securityfocus.com/bid/91732

https://invisionpower.com/release-notes/4113-r44/

https://support.apple.com/HT207170

https://www.exploit-db.com/exploits/40084/

Details

Source: MITRE

Published: 2016-07-12

Updated: 2017-03-21

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH