CVE-2021-39249Use of Insufficiently Random Values in Invision Power Board

CWE-330Use of Insufficiently Random ValuesCWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 43.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Invisioncommunity Invision Power Board
Timeline
PublishedAug 17
Latest updateMay 24

Description

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-59jh-f55w-rf36: Invision Community (aka IPS Community Suite or IP-Board) before 42022-05-24
CVEList
CVE-2021-39249: Invision Community (aka IPS Community Suite or IP-Board) before 42021-08-17
CVE-2021-39249 — Use of Insufficiently Random Values | cvebase