
Invision Power Services has published patches to fix a series of four cross-site scripting (XSS) vulnerabilities affecting IP.Board 3.3.4, IP.Board 3.4.5, IP.Gallery 4.2.1 and IP.Gallery 5.0.5.
The first flaw exists in a third-party script included in the “Flowplayer” release. The script in question is only used by IP.Gallery for embedding certain media files when an administrator allows them to be uploaded. The vulnerability cannot be exploited without user interaction.
The second security hole plagues a third-party script included in the “swfupload” release of IP.Board. This bug can only be exploited if the attacker convinces the victim to click on a malicious link.
The last two issues are reflected XSS vulnerabilities that exist within the IP.Board editor routines.
The patches are available on the IPS Community website.
You can download IP.Board