Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-2204

Overview

Vulnerability Score 5.5 5.5
CVE Id CVE-2006-2204
Last Modified 07 Mar 2011 09:35:32
Published 05 May 2006 08:46:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2006-2204

Summary

SQL injection vulnerability in the topic deletion functionality (post_delete function in func_mod.php) for Invision Power Board 2.1.5 allows remote authenticated moderators to execute arbitrary SQL commands via the selectedpids parameter, which bypasses an integer value check when the $id variable is an array.

Vulnerable Systems

Application

  • Invision Power Services Invision Power Board 2.0.0

  • Invision Power Services Invision Power Board 2.0.1

  • Invision Power Services Invision Power Board 2.0.2

  • Invision Power Services Invision Power Board 2.0.3

  • Invision Power Services Invision Power Board 2.0.4

  • Invision Power Services Invision Power Board 2.0.x

  • Invision Power Services Invision Power Board 2.1

  • Invision Power Services Invision Power Board 2.1 Alpha2

  • Invision Power Services Invision Power Board 2.1 Beta2

  • Invision Power Services Invision Power Board 2.1 Beta3

  • Invision Power Services Invision Power Board 2.1 Beta4

  • Invision Power Services Invision Power Board 2.1 Beta5

  • Invision Power Services Invision Power Board 2.1 Rc1

  • Invision Power Services Invision Power Board 2.1.0

  • Invision Power Services Invision Power Board 2.1.1

  • Invision Power Services Invision Power Board 2.1.2

  • Invision Power Services Invision Power Board 2.1.3

  • Invision Power Services Invision Power Board 2.1.4

  • Invision Power Services Invision Power Board 2.1.5


References

BID - 17837

BUGTRAQ - 20060504 Re: Invision Power Board v2.1.5 Remote SQL Injection

SECUNIA - 19901

CONFIRM - http://forums.invisionpower.com/index.php?showtopic=214248&view=getnewpo

VUPEN - ADV-2006-1605

BUGTRAQ - 20060428 Invision Power Board v2.1.5 Remote SQL Injection

XF - invision-func_mod-sql-injection(26190)

SREASON - 551


Last Updated: 27 May 2016 10:42:22