CVE-2021-39250

Published: Aug 17, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/

x_refsource_MISC

https://invisioncommunity.com/release-notes/4651-r102/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-39250

Description

Affected Products

References