Overview
Board Power fails to filter malicious content provided in the URL, leading to a cross-site scripting vulnerability. Attackers who exploit this vulnerability may be able to execute arbitrary scripts.
Description
Board Power is a forum application available for multiple operating systems. There are reports of a cross-site scripting vulnerability in Board Power v2.04 PF. According to the reports, the application fails to filter malicious content passed into the "action" parameter of icq.cgi. Other versions of Board Power may also be affected. |
Impact
If a site is compromised, sensitive information may be exposed, allowing an attacker to gather information such as passwords and credit card numbers. Information stored in cookies may also be stolen or corrupted. |
Solution
We are currently unaware of a practical solution to this problem. It appears that Board Power is no longer supported and has not been updated since 2000. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Alexander Antipov for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
| CVE IDs: | None |
| Severity Metric: | 3.80 |
| Date Public: | 2004-07-15 |
| Date First Published: | 2004-08-05 |
| Date Last Updated: | 2004-08-18 15:22 UTC |
| Document Revision: | 9 |