Vulnerability Description
ips_kernel/class_upload.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to upload arbitrary script files with crafted image filenames to uploads/, where they are saved with a .txt extension and are not executable. NOTE: there are limited usage scenarios under which this would be a vulnerability, but it is being tracked by CVE since the vendor has stated it is security-relevant.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Invision Power Services | Invision Power Board | <= 2.3.1 |
Related Weaknesses (CWE)
References
- http://forums.invisionpower.com/index.php?act=attach&type=post&id=11870Patch
- http://forums.invisionpower.com/index.php?showtopic=237075
- http://forums.invisionpower.com/index.php?act=attach&type=post&id=11870Patch
- http://forums.invisionpower.com/index.php?showtopic=237075
FAQ
What is CVE-2007-4913?
CVE-2007-4913 is a vulnerability with a CVSS score of 7.5 (HIGH). ips_kernel/class_upload.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to upload arbitrary script files with crafted image filenames to uploads/, where they...
How severe is CVE-2007-4913?
CVE-2007-4913 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-4913?
Check the references section above for vendor advisories and patch information. Affected products include: Invision Power Services Invision Power Board.