Vulnerability Description
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Invisioncommunity | Invision Power Board | <= 4.1.8.1 |
Related Weaknesses (CWE)
References
- https://invisionpower.com/release-notes/419-r37/Release NotesVendor Advisory
- https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-boar
- https://invisionpower.com/release-notes/419-r37/Release NotesVendor Advisory
- https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-boar
FAQ
What is CVE-2016-2564?
CVE-2016-2564 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board ...
How severe is CVE-2016-2564?
CVE-2016-2564 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2564?
Check the references section above for vendor advisories and patch information. Affected products include: Invisioncommunity Invision Power Board.