HOMEVULNERABILITIESVENDORSInvision Power Services

Invision Power ServicesCVEs & Vulnerabilities

73 CVEs affecting Invision Power Services products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

invision power board 366invision board 115invision gallery 20invision community blog 10invision power top site list 3
CVE-2005-2542MEDIUMpoc

Invision Power Board (IPB) 1.0.3 allows remote attackers to inject arbitrary web script or HTML via an attachment, which is automatically downloaded and processed as HTML.

10 Aug 2005
5.0
CVSS
CVE-2005-1945MEDIUM

Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data.

9 Jun 2005
4.3
CVSS
CVE-2005-1946HIGH

Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme action.

9 Jun 2005
7.5
CVSS
CVE-2005-1948HIGHpoc

Multiple SQL injection vulnerabilities in Invision Gallery before 1.3.1 allow remote attackers to execute arbitrary SQL commands via (1) the comment parameter in an editcomment action or (2) the rating parameter when voting on a photo.

9 Jun 2005
7.5
CVSS
CVE-2005-1816MEDIUM

Invision Power Board (IPB) 1.0 through 2.0.4 allows non-root admins to add themselves or other users to the root admin group via the "Move users in this group to" screen.

1 Jun 2005
4.6
CVSS
CVE-2005-1817MEDIUMpoc

Invision Power Board (IPB) 1.0 through 1.3 allows remote attackers to edit arbitrary forum posts via a direct request to index.php with modified parameters.

1 Jun 2005
5.0
CVSS
CVE-2005-1597MEDIUMpoc

Cross-site scripting (XSS) vulnerability in (1) search.php and (2) topics.php for Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the highlite parameter.

16 May 2005
4.3
CVSS
CVE-2005-1598HIGHpoc

SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.

16 May 2005
7.5
CVSS
CVE-2005-1443MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in index.php for Invision Power Board (IPB) 2.0.3 and 2.1 Alpha 2 allows remote attackers to inject arbitrary web script or HTML via the (1) act, (2) Members, (3) calendar, or (4) HID parameters.

3 May 2005
6.8
CVSS
CVE-2005-0217HIGH

SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter.

2 May 2005
7.5
CVSS
CVE-2005-0886MEDIUMpoc

Cross-site scripting (XSS) vulnerability in Invision Power Board 2.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an HTTP POST request.

2 May 2005
4.3
CVSS
CVE-2005-1070HIGHpoc

SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter.

11 Apr 2005
7.5
CVSS
CVE-2005-0477MEDIUMpoc

Cross-site scripting (XSS) vulnerability in the SML code for Invision Power Board 1.3.1 FINAL allows remote attackers to inject arbitrary web script via (1) a signature file or (2) a message post containing an IMG tag within a COLOR tag whose style is set to background:url.

30 Mar 2005
4.3
CVSS
CVE-2004-1578MEDIUM

Cross-site scripting (XSS) vulnerability in index.php in Invision Power Board 2.0.0 allows remote attackers to execute arbitrary web script or HTML via the Referer field in the HTTP header.

31 Dec 2004
4.3
CVSS
CVE-2004-2279MEDIUM

Cross-site scripting (XSS) vulnerability in Invision Power Board 1.3 Final allows remote attackers to execute arbitrary script as other users via the pop parameter in a chat action to index.php.

31 Dec 2004
4.3
CVSS
CVE-2004-1835HIGHpoc

Multiple SQL injection vulnerabilities in index.php in Invision Gallery 1.0.1 allow remote attackers to execute arbitrary SQL via the (1) img, (2) cat, (3) sort_key, (4) order_key, (5) user, or (6) album parameters.

31 Dec 2004
7.5
CVSS
CVE-2004-1531HIGHpoc

SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter.

31 Dec 2004
7.5
CVSS
CVE-2004-1836HIGHpoc

SQL injection vulnerability in index.php in Invision Power Top Site List 1.1 RC 2 and earlier allows remote attackers to execute arbitrary SQL via the id parameter of the comments action.

31 Dec 2004
7.5
CVSS
CVE-2004-0338CRITICAL

SQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter.

23 Nov 2004
10.0
CVSS
CVE-2004-0355MEDIUM

Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message.

23 Nov 2004
5.0
CVSS
CVE-2004-0359MEDIUM

Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters.

23 Nov 2004
6.8
CVSS
CVE-2004-1785HIGH

SQL injection vulnerability in calendar.php for Invision Power Board 1.3 allows remote attackers to execute arbitrary SQL commands via the m parameter, which sets the $this->chosen_month variable.

3 Jan 2004
7.5
CVSS
CVE-2003-1454MEDIUM

Invision Power Services Invision Board 1.0 through 1.1.1, when a forum is password protected, stores the administrator password in a cookie in plaintext, which could allow remote attackers to gain access.

31 Dec 2003
5.0
CVSS
CVE-2003-1385MEDIUMpoc

ipchat.php in Invision Power Board 1.1.1 allows remote attackers to execute arbitrary PHP code, if register_globals is enabled, by modifying the root_path parameter to reference a URL on a remote web server that contains the code.

31 Dec 2003
6.8
CVSS
CVE-2002-1149MEDIUM

The installation procedure for Invision Board suggests that users install the phpinfo.php program under the web root, which leaks sensitive information such as absolute pathnames, OS information, and PHP settings.

11 Oct 2002
5.0
CVSS
← PrevPage 2 / 2Next →