CVE-2021-39250 — Cross-site Scripting in Invision Power Board

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 36.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Invisioncommunity Invision Power Board

Timeline

PublishedAug 17

Latest updateMay 24

Description

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDinvisioncommunity/invision_power_board< 4.6.5.1

🔴Vulnerability Details

GHSA

GHSA-3p7x-m58j-fm72: Invision Community (aka IPS Community Suite or IP-Board) before 4↗2022-05-24

▶

CVEList

CVE-2021-39250: Invision Community (aka IPS Community Suite or IP-Board) before 4↗2021-08-17

▶