CVE-2016-6174
First published: Tue Jul 12 2016(Updated: )
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Invision Community | <=4.1.12.3 | |
| PHP | <=5.4.23 | |
| PHP | =5.5.0 | |
| PHP | =5.5.0-alpha1 | |
| PHP | =5.5.0-alpha2 | |
| PHP | =5.5.0-alpha3 | |
| PHP | =5.5.0-alpha4 | |
| PHP | =5.5.0-alpha5 | |
| PHP | =5.5.0-alpha6 | |
| PHP | =5.5.0-beta1 | |
| PHP | =5.5.0-beta2 | |
| PHP | =5.5.0-beta3 | |
| PHP | =5.5.0-beta4 | |
| PHP | =5.5.0-rc1 | |
| PHP | =5.5.0-rc2 | |
| PHP | =5.5.1 | |
| PHP | =5.5.2 | |
| PHP | =5.5.3 | |
| PHP | =5.5.4 | |
| PHP | =5.5.5 | |
| PHP | =5.5.6 | |
| PHP | =5.5.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://karmainsecurity.com/KIS-2016-11
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
- http://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html
- http://seclists.org/fulldisclosure/2016/Jul/19
- http://www.securityfocus.com/bid/91732
- https://invisionpower.com/release-notes/4113-r44/
- https://support.apple.com/HT207170
- https://www.exploit-db.com/exploits/40084/
Frequently Asked Questions
What is the severity of CVE-2016-6174?
CVE-2016-6174 is classified as a critical vulnerability due to the potential for remote code execution.
How do I fix CVE-2016-6174?
To fix CVE-2016-6174, upgrade Invision Power Board to version 4.1.13 or later and ensure PHP is updated to 5.4.24 or 5.5.8 or later.
What are the affected versions for CVE-2016-6174?
CVE-2016-6174 affects Invision Power Board versions prior to 4.1.13 and certain PHP versions before 5.4.24 and between 5.5.0 and 5.5.7.
Can CVE-2016-6174 affect my web application?
Yes, if your web application is using an affected version of Invision Power Board or an outdated PHP version, it is vulnerable to CVE-2016-6174.
What type of attack does CVE-2016-6174 allow?
CVE-2016-6174 allows attackers to execute arbitrary code on the server, which can lead to complete system compromise.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/invisioncommunity
- canonical/invision community
- version/invision community/4.1.12.3
- vendor/php
- canonical/php
- version/php/5.4.23
- version/php/5.5.0
- version/php/5.5.0-alpha1
- version/php/5.5.0-alpha2
- version/php/5.5.0-alpha3
- version/php/5.5.0-alpha4
- version/php/5.5.0-alpha5
- version/php/5.5.0-alpha6
- version/php/5.5.0-beta1
- version/php/5.5.0-beta2
- version/php/5.5.0-beta3
- version/php/5.5.0-beta4
- version/php/5.5.0-rc1
- version/php/5.5.0-rc2
- version/php/5.5.1
- version/php/5.5.2
- version/php/5.5.3
- version/php/5.5.4
- version/php/5.5.5
- version/php/5.5.6
- version/php/5.5.7