CVE-2021-39249

Published: Aug 17, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.

Affected (1)

Products: Invisioncommunity: Invision Power Board

Invisioncommunity

1 product

Invision Power Board

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Invisioncommunity Invision Power Board	Before 4.6.5.1

Related CWEs

CWE-330

Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References (4)

https://invisioncommunity.com/release-notes/4651-r102/

Source: cve@mitre.org

Release NotesVendor Advisory

https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/

Source: cve@mitre.org

ExploitThird Party Advisory

https://invisioncommunity.com/release-notes/4651-r102/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.