Critical issues reported in Invision Community forum software
Take action: If you are using Invision Community version, please update to the latest version. Lock down admin user accounts with strong credentials and work on phishing awareness of your admins so they are not compromised as an interim step to attack.
Learn More
Invision Community software, a forum software which powers websites of major brands such as Evernote, Sony, Corsair, Mattel, and LEGO, has significant security vulnerabilities reported by researcher Egidio Romano.
Romano uncovered two main issues:
- A blind SQL injection vulnerability tracked as CVE-2024-30163 exists since the release of version 4.4.0 in February 2019. This flaw, found in the `/applications/nexus/modules/front/store/store.php` script, allowed unauthenticated SQL attacks due to improper input sanitization. It could enable attackers to execute time-based or error-based SQL injections, reset passwords using plaintext-stored reset keys, and gain administrative access for remote code execution. This vulnerability has been patched in version 4.7.16,
- Upload of malicious files, tracked as CVE-2024-30162 resides in the `/applications/core/modules/admin/editor/toolbar.php` script and could allow attackers to execute arbitrary PHP code by uploading maliciously crafted ZIP files. Exploiting this vulnerability requires an administrator account with "toolbar_manage" permissions. This flaw is still not patched.
Users are advised to update their Invision Community to latest version and to lock down user accounts so the risk of malicious upload is reduced.
