| OSVDB ID | Disclosure Date | Title |
|---|
|
49232
Description:
IP Reg contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the it.php script not properly sanitizing user-supplied input to the vlan_id variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2008-10-16
|
IP Reg it.php vlan_id Parameter SQL Injection
|
|
49231
Description:
IP Reg contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the locationdel.php script not properly sanitizing user-supplied input to the location_id variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2008-10-16
|
IP Reg locationdel.php location_id Parameter SQL Injection
|
|
49026
Description:
IP Reg contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.php' script not properly sanitizing user-supplied input to the 'user_name' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2008-10-03
|
IP Reg login.php user_name Parameter SQL Injection
|
|
39780
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote attackers to execute arbitrary SQL commands via the vlan_id parameter to (1) vlanview.php, (2) vlanedit.php, and (3) vlandel.php; the (4) assetclassgroup_id parameter to assetclassgroupview.php; the (5) subnet_id parameter to nodelist.php; and unspecified other vectors. NOTE: it was later reported that the vlanview.php and vlandel.php vectors are also in 0.4.
|
2007-12-22
|
Ip Reg nodelist.php subnet_id Parameter SQL Injection
|
|
39778
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote attackers to execute arbitrary SQL commands via the vlan_id parameter to (1) vlanview.php, (2) vlanedit.php, and (3) vlandel.php; the (4) assetclassgroup_id parameter to assetclassgroupview.php; the (5) subnet_id parameter to nodelist.php; and unspecified other vectors. NOTE: it was later reported that the vlanview.php and vlandel.php vectors are also in 0.4.
|
2007-12-22
|
Ip Reg vlandel.php vlan_id Parameter SQL Injection
|
|
39777
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote attackers to execute arbitrary SQL commands via the vlan_id parameter to (1) vlanview.php, (2) vlanedit.php, and (3) vlandel.php; the (4) assetclassgroup_id parameter to assetclassgroupview.php; the (5) subnet_id parameter to nodelist.php; and unspecified other vectors. NOTE: it was later reported that the vlanview.php and vlandel.php vectors are also in 0.4.
|
2007-12-22
|
Ip Reg vlanedit.php vlan_id Parameter SQL Injection
|
|
39776
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote attackers to execute arbitrary SQL commands via the vlan_id parameter to (1) vlanview.php, (2) vlanedit.php, and (3) vlandel.php; the (4) assetclassgroup_id parameter to assetclassgroupview.php; the (5) subnet_id parameter to nodelist.php; and unspecified other vectors. NOTE: it was later reported that the vlanview.php and vlandel.php vectors are also in 0.4.
|
2007-12-22
|
Ip Reg vlanview.php vlan_id Parameter SQL Injection
|
|
37534
Description:
(Description Provided by CVE) : SQL injection vulnerability in the IP-Search functionality in the IP-Tracking Mod for phpBB 2.0.x allows remote authenticated administrators to execute arbitrary SQL commands via the Search Query field.
|
2007-05-20
|
IP-Tracking Module for phpBB IP-Search Function Search Query Field SQL Injection
|
|
90723
Description:
IP.Blog Module for IP.Board contains a flaw in the ModCP functionality. This issue is due to the program failing to properly restrict access to previews of blog entries and drafts. This may allow a remote attacker to gain access to restricted blogs.
|
2012-11-06
|
IP.Blog Module for IP.Board ModCP Functionality Blog Access Restriction Bypass
|
|
80036
Description:
IP.Board contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the /admin/extensions/coreVariables.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2012-03-14
|
IP.Board /admin/extensions/coreVariables.php Unspecified XSS
|
|
91740
Description:
IP.Board contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the /admin/index.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2013-03-25
|
IP.Board /admin/index.php Unspecified Parameter XSS
|
|
79423
Description:
IP.Board contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain fields upon submission to the 'Admin' control panel. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser when viewing details of failed login attempts within the trust relationship between their browser and the server.
|
2012-02-20
|
IP.Board Admin CP Failed Login Unspecified XSS
|
|
48355
Description:
Unknown / Incomplete
|
2008-08-29
|
IP.Board admin.php INFO[base_url] Variable Arbitrary Site Redirect
|
|
48356
Description:
Unknown / Incomplete
|
2008-08-29
|
IP.Board admin.php INFO[base_url] Variable Path Disclosure
|
|
60423
Description:
IP.Board contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/applications/core/modules_public/global/lostpass.php' script not properly sanitizing user-supplied input to the 'aid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-08-18
|
IP.Board admin/applications/core/modules_public/global/lostpass.php aid Parameter SQL Injection
|
|
83736
Description:
IP.Board contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the search page upon submission to the admin/applications/core/modules_public/search/search.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2012-07-11
|
IP.Board admin/applications/core/modules_public/search/search.php Search Page XSS
|
|
60422
Description:
IP.Board contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/applications/core/modules_public/search/search.php' script not properly sanitizing user-supplied input to the 'search_term' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-08-18
|
IP.Board admin/applications/core/modules_public/search/search.php search_term Parameter SQL Injection
|
|
86702
Description:
Invision Power Board (aka IPB or IP.Board) contains a flaw related to the IPSCookie::get() method defined in admin/sources/base/core.php script. User-supplied input passed through cookies is not properly sanitized before being used in a unserialize() call. With a specially crafted serialized object, a remote attacker might be able to create a file containing arbitrary PHP code abusing the __destruct method of the dbMain class.
|
2012-10-26
|
IP.Board admin/sources/base/core.php IPSCookie::get() Method Arbitrary PHP Code Execution
|
|
67878
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbcode/custom/defaults.php in Invision Power Board (IP.Board) 3.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2010-09-08
|
IP.Board admin/sources/classes/bbcode/custom/defaults.php BBCode XSS
|
|
64705
Description:
IP.Board contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URI upon submission to the 'admin/sources/classes/bbcode/custom/defaults.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-05-14
|
IP.Board admin/sources/classes/bbcode/custom/defaults.php URI XSS
|
|
65608
Description:
Unknown / Incomplete
|
2010-06-09
|
IP.Board Calendar Application XSS
|
|
65456
Description:
Unknown / Incomplete
|
2010-06-09
|
IP.Board Calendar Module Unspecified XSS
|
|
35427
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Invision Power Board (IP.Board) 2.1.x and 2.2.x allows remote attackers to inject arbitrary web script or HTML by uploading crafted images or PDF files.
|
2007-04-26
|
IP.Board class_upload.php Image / PDF XSS
|
|
41938
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via crafted BBCodes in an unspecified context.
|
2008-02-20
|
IP.Board Crafted BBCodes XSS
|
|
93288
Description:
Invision Power Board (IP.Board) contains a flaw that related to a failure to properly sanitize input passed via the 'User Email' field. This may allow a remote attacker to manipulate an arbitrary user's password.
|
2013-05-13
|
IP.Board Crafted User Email Field Arbitrary Account Password Manipulation
|
|
48353
Description:
Unknown / Incomplete
|
2008-08-29
|
IP.Board Deep Recursion Protection Bypass
|
|
70842
Description:
IP.Board contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the application fails to check authentication when viewing topic titles, which will disclose topic titles from password protected forums to a remote attacker.
|
2011-02-08
|
IP.Board Forum Password System Topic Title Disclosure
|
|
60879
Description:
IP.Board contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'forum/index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'section' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2009-12-04
|
IP.Board forum/index.php section Parameter Traversal Local File Inclusion
|
|
60877
Description:
IP.Board contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'forum/index.php' script not properly sanitizing user-supplied input to the 'starter' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-04
|
IP.Board forum/index.php starter Parameter SQL Injection
|
|
82807
Description:
IP.Board contains a flaw that may allow an attacker to bypass CAPTCHA testing by creating a pre-generated image or code and supplying it in the answer field of the test. No further details have been provided.
|
2007-11-28
|
IP.Board Image/Code Pre-generation CAPTCHA Bypass
|
