Detections
Analytics

Invision PowerBoard < 2.0.3 SQL Injection

medium Nessus Network Monitor Plugin ID 2422

Synopsis

The remote host is running a vulnerable version of Invision Power Board, a CGI suite designed to set up a bulletin board system on the remote web server.

Description

The remote host is running Invision Power Board, a CGI suite designed to set up a bulletin board system on the remote web server.
A vulnerability has been discovered in the remote version of this software that may allow unauthorized users to inject SQL commands in the remote SQL database.
 An attacker may use this flaw to gain the control of the remote database and possibly to overwrite files on the remote host.

In addition, a remote HTML injection flaw has been identified within
Invision Power Board. An attacker exploiting this flaw would be
able to control the way that the website is presented. In order to
exploit such a vulnerability, the attacker would need to be able to
convince a user to visit a malicious website.

Solution

Upgrade to version 2.0.3 or higher.

See Also

http://www.securityfocus.com/archive/1/395515

Plugin Details

Severity: Medium

ID: 2422

Family: CGI

Published: 11/22/2004

Updated: 3/6/2019

Nessus ID: 15778, 17609, 18011

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:invision_power_services:invision_board

Reference Information

CVE: CVE-2004-1531, CVE-2005-0477, CVE-2005-0886, CVE-2005-1070, CVE-2005-1598

BID: 13529, 12607, 13375, 13097, 12888, 11703