Vulnerability Description
Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Invisioncommunity | Ips Community Suite | < 4.6.0 |
Related Weaknesses (CWE)
References
- http://karmainsecurity.com/KIS-2021-04Third Party Advisory
- http://packetstormsecurity.com/files/162868/IPS-Community-Suite-4.5.4.2-PHP-CodeExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/May/80ExploitMailing ListThird Party Advisory
- https://hackerone.com/reports/1092574ExploitIssue TrackingThird Party Advisory
- https://invisioncommunity.com/features/security/Vendor Advisory
- http://karmainsecurity.com/KIS-2021-04Third Party Advisory
- http://packetstormsecurity.com/files/162868/IPS-Community-Suite-4.5.4.2-PHP-CodeExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/May/80ExploitMailing ListThird Party Advisory
- https://hackerone.com/reports/1092574ExploitIssue TrackingThird Party Advisory
- https://invisioncommunity.com/features/security/Vendor Advisory
FAQ
What is CVE-2021-32924?
CVE-2021-32924 is a vulnerability with a CVSS score of 8.8 (HIGH). Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely w...
How severe is CVE-2021-32924?
CVE-2021-32924 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32924?
Check the references section above for vendor advisories and patch information. Affected products include: Invisioncommunity Ips Community Suite.