Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-17T22:02:12

Updated: 2024-08-04T02:06:40.952Z

Reserved: 2021-08-17T00:00:00

Link: CVE-2021-39250

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-08-17T23:15:07.660

Modified: 2024-11-21T06:19:01.570

Link: CVE-2021-39250

cve-icon Redhat

No data.