{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:23:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/insecurity/status/862154908895780864"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/sxcurity/status/862284967715381248"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-8898", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt", "refsource": "MISC", "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"}, {"name": "https://twitter.com/insecurity/status/862154908895780864", "refsource": "MISC", "url": "https://twitter.com/insecurity/status/862154908895780864"}, {"name": "https://twitter.com/sxcurity/status/862284967715381248", "refsource": "MISC", "url": "https://twitter.com/sxcurity/status/862284967715381248"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-8898", "datePublished": "2022-10-03T16:23:07", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:23:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7A015E6-3AFD-4A33-AA69-172D6161DCD1", "versionEndIncluding": "4.1.19.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the \"<> Source\" option."}, {"lang": "es", "value": "Invision Power Services (IPS) Community Suite 4.1.19.2 y anteriores tienen un XSS almacenado en Announcements, permitiendo escalada de privilegios desde un moderador Invision Power Board hasta admin. El ataque utiliza el par\u00e1metro announce_content en una petici\u00f3n index.php?/modcp/announcements/&action=create."}], "id": "CVE-2017-8898", "lastModified": "2020-06-03T14:55:02.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-11T17:29:00.207", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://zeroday.insecurity.zone/exploits/ipb_owned.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/insecurity/status/862154908895780864"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/sxcurity/status/862284967715381248"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}