------------------------------------------------------------------------------ Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability ------------------------------------------------------------------------------ [-] Software Link: https://invisioncommunity.com [-] Affected Versions: Version 4.7.16 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script. Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will handle the upload of a ZIP file, trying to extract its content into the /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does not include a plugin.js file, then the extracted ZIP content will be recursively deleted from the file system, otherwise it will stay there. This can be exploited to execute arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can also be empty) along with a PHP file. Successful exploitation of this vulnerability requires an Administrator account having the "toolbar_manage" permission. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2024-30162.php [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [08/01/2024] - Vulnerability details sent to SSD Secure Disclosure [12/03/2024] - Version 4.7.16 released, but the issue is still not fixed [20/03/2024] - CVE identifier requested [24/03/2024] - CVE identifier assigned [05/04/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-30162 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-03 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/