lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAJeQoQcpMxHUwunCe8mogpAa4RnoLR7kpbQpv=eZV7boHEfwAw@mail.gmail.com>
Date: Wed, 14 May 2025 14:31:05 +0200
From: Egidio Romano <n0b0d13s@...il.com>
To: fulldisclosure@...lists.org
Cc: submissions@...ketstormsecurity.com, submit@...sec.com
Subject: [FD] [KIS-2025-02] Invision Community <= 5.0.6 (customCss) Remote
 Code Execution Vulnerability

---------------------------------------------------------------------------
Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://invisioncommunity.com


[-] Affected Versions:

All versions from 5.0.0 to 5.0.6.


[-] Vulnerability Description:

The vulnerability is located in the
/applications/core/modules/front/system/themeeditor.php script.
Specifically, into the
IPS\core\modules\front\system\themeeditor::customCss() method. This
protected method can be invoked by unauthenticated users and passes the
value of the "content" request parameter to the
Theme::makeProcessFunction() method. As a result, the input is processed by
the template engine. This behavior can be exploited by unauthenticated
attackers to inject and execute arbitrary PHP code by supplying crafted
template strings.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-47916.php


[-] Solution:

Upgrade to version 5.0.7 or later.


[-] Disclosure Timeline:

[10/05/2025] - Vendor notified
[12/05/2025] - Version 5.0.7 released
[12/05/2025] - CVE identifier requested
[14/05/2025] - CVE identifier assigned
[14/05/2025] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2025-47916 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://invisioncommunity.com/release-notes-v5/507-r41/


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-02
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ