——————————————————————————
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
——————————————————————————<\/p>\n[-] Software Link:<\/p>\n
https:\/\/invisioncommunity.com<\/p>\n[-] Affected Versions:<\/p>\n
Version 4.7.16 and prior versions.<\/p>\n[-] Vulnerability Description:<\/p>\n
The vulnerability is located in the
\/applications\/core\/modules\/admin\/editor\/toolbar.php script.
Specifically, into the
IPS\\core\\modules\\admin\\editor\\_toolbar::addPlugin() method, which will
handle
the upload of a ZIP file, trying to extract its content into the
\/applications\/core\/interface\/ckeditor\/ckeditor\/plugins\/ directory; if
the ZIP archive does not include
a plugin.js file, then the extracted ZIP content will be recursively
deleted from the file system,
otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a
ZIP archive containing a plugin.js file (which can also be empty)
along with a PHP file. Successful
exploitation of this vulnerability requires an Administrator account
having the “toolbar_manage” permission.<\/p>\n[-] Proof of Concept:<\/p>\n
https:\/\/karmainsecurity.com\/pocs\/CVE-2024-30162.php<\/p>\n[-] Solution:<\/p>\n
No official solution is currently available.<\/p>\n[-] Disclosure Timeline:<\/p>\n[08\/01\/2024] – Vulnerability details sent to SSD Secure Disclosure
[12\/03\/2024] – Version 4.7.16 released, but the issue is still not fixed
[20\/03\/2024] – CVE identifier requested
[24\/03\/2024] – CVE identifier assigned
[05\/04\/2024] – Coordinated public disclosure<\/p>\n[-] CVE Reference:<\/p>\n
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2024-30162 to this vulnerability.<\/p>\n[-] Credits:<\/p>\n
Vulnerability discovered by Egidio Romano.<\/p>\n[-] Other References:<\/p>\n
SSD Advisory – IP.Board ‘nexus’ RCE and Blind SQLi<\/a><\/p><\/blockquote>\n