Vulnerabilities > Invisioncommunity
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-07 | CVE-2024-30163 | SQL Injection vulnerability in Invisioncommunity Invision Community before 4.7.16 allow SQL injection via the applications/nexus/modules/front/store/store.php IPS\nexus\modules\front\store\_store::_categoryView() method, where user input passed through the filter request parameter is not properly sanitized before being used to execute SQL queries. | 9.8 |
| 2022-06-13 | CVE-2021-40604 | Server-Side Request Forgery (SSRF) vulnerability in Invisioncommunity IPS Community Suite A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. | 6.4 |
| 2021-08-17 | CVE-2021-39249 | Use of Insufficiently Random Values vulnerability in Invisioncommunity Invision Power Board Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function. | 4.3 |
| 2021-08-17 | CVE-2021-39250 | Cross-site Scripting vulnerability in Invisioncommunity Invision Power Board Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. | 3.5 |
| 2021-06-01 | CVE-2021-32924 | Code Injection vulnerability in Invisioncommunity IPS Community Suite Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method. | 6.0 |
| 2021-01-08 | CVE-2021-3025 | SQL Injection vulnerability in Invisioncommunity IPS Community Suite 4.5.2/4.5.3/4.5.4 Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php). | 6.5 |
| 2021-01-05 | CVE-2021-3026 | Cross-site Scripting vulnerability in Invisioncommunity IPS Community Suite 4.5.2/4.5.3/4.5.4 Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment. | 4.3 |
| 2020-12-30 | CVE-2020-29477 | Cross-site Scripting vulnerability in Invisioncommunity Community 4.5.4 Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. | 3.5 |
| 2020-03-13 | CVE-2009-5159 | Cross-site Scripting vulnerability in multiple products Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Internet Explorer 5 is used, allows XSS via a .txt attachment. | 4.3 |
| 2020-02-12 | CVE-2013-3725 | Unspecified vulnerability in Invisioncommunity Invision Power Board Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution. | 7.5 |