[] NeoSense
E X P L O I T S
title author type platform port cve id

Invision Power Board (IP.Board) 4.x - Persistent Cross-Site Scripting

Author: snop
type: webapps
platform: php
port: 
date_added: 2015-08-27 
date_updated: 2018-01-08 
verified: 0 
codes: CVE-2015-6810;OSVDB-126805 
tags: 
aliases:  
screenshot_url:  
application_url: 
# Exploit Title: IP.Board 4.X Stored XSS
# Date: 27-08-2015
# Software Link: https://www.invisionpower.com/
# Exploit Author: snop.
# Contact: http://twitter.com/rabbitz_org
# Website: http://rabbitz.org
# Category: webapps

1. Description

A registered or non-registered user can create a calendar event
including malicious JavaScript code who will be permanently stored in
the pages source.

2. Proof of Concept

http://URL_TO_FORUM/calendar/submit/?calendar=1

POST:
Affected Paramter: event_location[address][]

3. Solution

Update to version 4.0.12.1
https://community.invisionpower.com/release-notes/40121-r22/

Disclosure Timeline
27.07.15: Vendor notified
05.08.15: Fix released
27.08.15: Public disclosure
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.