Vulnerabilities > CVE-2016-2564 - Insufficient Entropy vulnerability in Invisioncommunity Invision Power Board
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
References
- https://invisionpower.com/release-notes/419-r37/
- https://invisionpower.com/release-notes/419-r37/
- https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9
- https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9