Vulnerabilities > CVE-2006-5203 - Cross-Site Scripting vulnerability in Invision Power Board
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Invision Power Board (IPB) 2.1.7 and earlier allows remote restricted administrators to inject arbitrary web script or HTML, or execute arbitrary SQL commands, via a forum description that contains a crafted image with PHP code, which is executed when the user visits the "Manage Forums" link in the Admin control panel. The following requirements must be met for this attack to take place: - The database table prefix must be known - The admin must have access to the SQL Toolbox (any "root admin") - The admin must have images and referers turned on in their browser, and their browser must follow Location headers (default behaviour for most browsers) - The admin must view a malicious script as an image in their browser