CVE-2007-4913

Invision Power Board < 2.3.1 - Arbitrary File Upload via Crafted Image Filename

Title source: llm
STIX 2.1

Description

ips_kernel/class_upload.php in Invision Power Board (IPB or IP.Board) 2.3.1 up to 20070912 allows remote attackers to upload arbitrary script files with crafted image filenames to uploads/, where they are saved with a .txt extension and are not executable. NOTE: there are limited usage scenarios under which this would be a vulnerability, but it is being tracked by CVE since the vendor has stated it is security-relevant.

References (2)

Core 2

Scores

EPSS 0.0123
EPSS Percentile 65.3%

Details

CWE
CWE-94
Status published
Products (7)
invision_power_services/invision_power_board 2.1.5_2006-03-08
invision_power_services/invision_power_board 2.1.5_2006-04-25
invision_power_services/invision_power_board 2.1.6
invision_power_services/invision_power_board 2.2
invision_power_services/invision_power_board 2.2.1
invision_power_services/invision_power_board 2.2.2
invision_power_services/invision_power_board < 2.3.1
Published Sep 17, 2007
Tracked Since Feb 18, 2026