Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
References
Link | Resource |
---|---|
https://invisionpower.com/release-notes/419-r37/ | Release Notes Vendor Advisory |
https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9 |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-04-23T15:00:00
Updated: 2017-04-23T14:57:01
Reserved: 2016-02-25T00:00:00
Link: CVE-2016-2564
JSON object: View
NVD Information
Status : Modified
Published: 2017-04-23T15:59:00.153
Modified: 2023-11-07T02:31:13.970
Link: CVE-2016-2564
JSON object: View
Redhat Information
No data.
CWE