Vulnerability Note VU#744590
Board Power contains cross-site scripting vulnerability in the 'action' parameter of 'icq.cgi'
Board Power fails to filter malicious content provided in the URL, leading to a cross-site scripting vulnerability. Attackers who exploit this vulnerability may be able to execute arbitrary scripts.
Board Power is a forum application available for multiple operating systems. There are reports of a cross-site scripting vulnerability in Board Power v2.04 PF. According to the reports, the application fails to filter malicious content passed into the "action" parameter of icq.cgi. Other versions of Board Power may also be affected.
If a site is compromised, sensitive information may be exposed, allowing an attacker to gather information such as passwords and credit card numbers. Information stored in cookies may also be stolen or corrupted.
We are currently unaware of a practical solution to this problem. It appears that Board Power is no longer supported and has not been updated since 2000.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|The Webmaster Guide, Inc.||Affected||26 Jul 2004||29 Jul 2004|
CVSS Metrics (Learn More)
Thanks to Alexander Antipov for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 15 Jul 2004
- Date First Published: 05 Aug 2004
- Date Last Updated: 18 Aug 2004
- Severity Metric: 3.80
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.