CVE-2021-32924

Published: Jun 1, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method.

Affected (1)

Products: Invisioncommunity: Ips Community Suite

Invisioncommunity

1 product

Ips Community Suite

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Invisioncommunity Ips Community Suite	Before 4.6.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (10)

http://karmainsecurity.com/KIS-2021-04

Source: cve@mitre.org

Third Party Advisory

http://packetstormsecurity.com/files/162868/IPS-Community-Suite-4.5.4.2-PHP-Code-Injection.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2021/May/80

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

https://hackerone.com/reports/1092574

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://invisioncommunity.com/features/security/

Source: cve@mitre.org

Vendor Advisory

http://karmainsecurity.com/KIS-2021-04