egix@karmainsecurity ~ $

Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability

• Software Link:

https://invisioncommunity.com

• Affected Versions:

Version 4.7.16 and prior versions.

• Vulnerability Description:

The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.

Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will handle the upload of a ZIP file, trying to extract its content into the /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does not include a plugin.js file, then the extracted ZIP content will be recursively deleted from the file system, otherwise it will stay there. This can be exploited to execute arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can also be empty) along with a PHP file.

Successful exploitation of this vulnerability requires an Administrator account having the “toolbar_manage” permission.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30162.php

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[08/01/2024] – Vulnerability details sent to SSD Secure Disclosure

[12/03/2024] – Version 4.7.16 released, but the issue is still not fixed

[20/03/2024] – CVE identifier requested

[24/03/2024] – CVE identifier assigned

[05/04/2024] – Coordinated public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-30162 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.

• Other References:

https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/