cvedb.io
CVE-2017-8898
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2017-05-11T17:29:00.207 · Last modified 2026-06-17T01:27:10.050

Summary

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option.

Affected products

invisioncommunity — invision_power_board

Does this affect you?

Add your gear to cvedb and we'll alert you only when invisioncommunity ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.