Skip to main content

IP Board < 3.4.2 - Persistent Cross Site Scripting Vulnerability

Info#

Date: Reported on December 2012

Exploit Author: Wuming tgh / Anakorn Kyavatanakij

Vendor Homepage: https://www.invisionpower.com

Software Link: https://www.invisionpower.com

Version: Affecting all versions below 3.4.2 (Fixed)

Details#

  1. Go to "My Settings" to edit your user profile: example.com/index.php?app=core&module=usercp&tab=core
  2. Find the "Profile Infomation" input field. (textarea)
  3. Fill in the input field with the XSS Attack Vector: </textarea><script> your script </script>
  4. Whenever an admin views your profile in the admin panel, the payload will be executed.
ipboard email