CVE-2007-4913
Invision Power Board < 2.3.1 - Arbitrary File Upload via Crafted Image Filename
Title source: llmDescription
ips_kernel/class_upload.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to upload arbitrary script files with crafted image filenames to uploads/, where they are saved with a .txt extension and are not executable. NOTE: there are limited usage scenarios under which this would be a vulnerability, but it is being tracked by CVE since the vendor has stated it is security-relevant.
References (2)
Core 2
Core References
Patch x_refsource_confirm
http://forums.invisionpower.com/index.php?act=attach&type=post&id=11870
Various Sources x_refsource_confirm
http://forums.invisionpower.com/index.php?showtopic=237075
Scores
EPSS
0.0123
EPSS Percentile
65.3%
Details
CWE
CWE-94
Status
published
Products (7)
invision_power_services/invision_power_board
2.1.5_2006-03-08
invision_power_services/invision_power_board
2.1.5_2006-04-25
invision_power_services/invision_power_board
2.1.6
invision_power_services/invision_power_board
2.2
invision_power_services/invision_power_board
2.2.1
invision_power_services/invision_power_board
2.2.2
invision_power_services/invision_power_board
< 2.3.1
Published
Sep 17, 2007
Tracked Since
Feb 18, 2026