Invision PowerBoard < 2.0.3 SQL Injection

High Nessus Network Monitor Plugin ID 2422

Synopsis

The remote host is running a vulnerable version of Invision Power Board, a CGI suite designed to set up a bulletin board system on the remote web server.

Description

The remote host is running Invision Power Board, a CGI suite designed to set up a bulletin board system on the remote web server.
A vulnerability has been discovered in the remote version of this software that may allow unauthorized users to inject SQL commands in the remote SQL database.
An attacker may use this flaw to gain the control of the remote database and possibly to overwrite files on the remote host.

In addition, a remote HTML injection flaw has been identified within
Invision Power Board. An attacker exploiting this flaw would be
able to control the way that the website is presented. In order to
exploit such a vulnerability, the attacker would need to be able to
convince a user to visit a malicious website.

Solution

Upgrade to version 2.0.3 or higher.

See Also

http://www.securityfocus.com/archive/1/395515

Plugin Details

Severity: High

ID: 2422

Family: CGI

Published: 2004/11/22

Modified: 2018/07/11

Dependencies: 1442

Nessus ID: 15778, 17609, 18011

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:invision_power_services:invision_board

Reference Information

CVE: CVE-2005-0886, CVE-2005-0477, CVE-2005-1070, CVE-2005-1598, CVE-2004-1531

BID: 13529, 12607, 13375, 13097, 12888, 11703