VWE-2017-3734 Printable Version
This page is a chapter in Info Known Vulnerabilities
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2017-3734 Related Report #5040 Severity LOW Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Phishing. Using some BB-Code options, users can place content outside posts and other messages. For example, a user can place an invisible link over legitimate site navigation links and direct users to another web site that looks like a legitimate login page. Does not affect Lite versions.
Discovered May 2, 2017 Resolved May 16, 2017 Patches Available 4.0.17 Patch Level 2
4.0.16 Patch Level 3
4.0.15 Patch Level 7
4.0.14 Patch Level 10
4.0.13 Patch Level 10
4.0.12 Patch Level 11
4.0.11 Patch Level 11
Notes
The patch hides content that flows outside permitted content boxes and makes it more difficult for users to achieve this effect using BB-Code alone. However, users are still permitted to post content in non-standard places, such as header integrations, sidebar blocks, etc.
Phishing attacks are always possible as long as users can post links on your web site, although they may be less effective when the links appear within the visual bounds of a user's post. Phishing vulnerabilities are considered mitigated if it is clear that a user posted the link or the link otherwise appears in the content-area of the page. In many cases, the only real defense against such attacks is vigilance by the victim -- making sure that the address bar still represents the expected site.