CVE-2021-39250

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://invisioncommunity.com/release-notes/4651-r102/	Release Notes Vendor Advisory
https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-08-17 23:15

Updated : 2021-08-25 18:44

NVD link : CVE-2021-39250

Mitre link : CVE-2021-39250

CVE.ORG link : CVE-2021-39250

JSON object : View

Products Affected

invisioncommunity

invision_power_board

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-39250", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2021-08-17T23:15:07.660", "references": [{"url": "https://invisioncommunity.com/release-notes/4651-r102/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML)."}, {"lang": "es", "value": "Invision Community (tambi\u00e9n se conoce como IPS Community Suite o IP-Board) versiones anteriores a 4.6.5.1 permite un ataque de tipo XSS almacenado, con la consiguiente ejecuci\u00f3n de c\u00f3digo, porque un archivo cargado puede colocarse en un elemento IFRAME dentro del contenido generado por el usuario. Para la ejecuci\u00f3n de c\u00f3digo, el atacante puede confiar en la habilidad de un administrador para instalar widgets, la divulgaci\u00f3n del ID de sesi\u00f3n del administrador en un encabezado Referer, y la habilidad de un administrador para usar el motor de plantillas (por ejemplo, Editar HTML)."}], "lastModified": "2021-08-25T18:44:28.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:invisioncommunity:invision_power_board:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11BFD544-1F71-48B6-909E-7E54E71C6528", "versionEndExcluding": "4.6.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}