Evaluator Solution

An update for that addressed this vulnerability is available on the Invision Power Services web site. The following requirements must be met for this attack to take place: - The database table prefix must be known - The admin must have access to the SQL Toolbox (any "root admin") - The admin must have images and referers turned on in their browser, and their browser must follow Location headers (default behaviour for most browsers) - The admin must view a malicious script as an image in their browser

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Known Affected Software Configurations Switch to CPE 2.2

Change History

http://forums.invisionpower.com/index.php?showtopic=227937

http://secunia.com/advisories/22272

http://www.securityfocus.com/archive/1/447710/100/0/threaded

http://www.vupen.com/english/advisories/2006/3927

https://exchange.xforce.ibmcloud.com/vulnerabilities/29351

http://www.securityfocus.com/archive/1/447710/100/0/threaded [No Types Assigned]

http://www.securityfocus.com/archive/1/archive/1/447710/100/0/threaded [Exploit, Vendor Advisory]

https://exchange.xforce.ibmcloud.com/vulnerabilities/29351 [No Types Assigned]

http://xforce.iss.net/xforce/xfdb/29351 [Exploit]