egix@karmainsecurity ~ $

Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability

• Software Link:

https://invisioncommunity.com

• Affected Versions:

Certain 4.x versions before 4.7.21.

• Vulnerability Description:

The vulnerability is located within the /applications/calendar/modules/front/calendar/view.php script.

Specifically, in the IPS\calendar\modules\front\calendar\view::search() method:

725	if( \IPS\GeoLocation::enabled() )
726	{
727		if( \IPS\Request::i()->location )
728		{
729			/* Is it a location? */
730			$locations = static::geocodeLocation( \IPS\Request::i()->location, FALSE );
731			if( \is_array( $locations ) and \count( $locations ) )
732			{
733				if( $locations[0]['value'] )
734				{
735					$having[] = "( event_title LIKE CONCAT( '%', '" . $locations[0]['value'] . "', '%' ) OR name LIKE CONCAT( '%', '" . $locations[0]['value'] . "', '%' ) )";
736				}
737
738				$location = array( 'lat' => $locations[0]['lat'], 'lon' => $locations[0]['long'] );
739				$searchNearLocation = TRUE;
740			}
741			else
742			{
743				$having[] = "( event_title LIKE CONCAT( '%', '" . \IPS\Request::i()->location . "', '%' ) OR name LIKE CONCAT( '%', '" . \IPS\Request::i()->location . "', '%' ) )";
744			}
745		}

User input passed through the “location” request parameter is not properly sanitized before being used to construct a SQL query at line 743. This can be exploited by remote, unauthenticated attackers to e.g. read sensitive data from the database through boolean-based SQL Injection attacks. Successful exploitation of this vulnerability requires the “calendar” application to be installed and a “GeoLocation feature” (like Google Maps) to be configured.

NOTE: SQL Injection vulnerabilities in Invision Community 4.x might lead to admin account takeover and RCE attacks, by resetting the admin’s password. However, starting from version 4.7.18, a new security encryption key has been introduced within the password reset mechanism. As such, this attack vector won’t work anymore with versions >= 4.7.18.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-48932.php

• Solution:

Upgrade to version 4.7.21 or later.

• Disclosure Timeline:

[16/05/2025] – Vendor notified

[27/05/2025] – Version 4.7.21 released

[28/05/2025] – CVE identifier requested

[28/05/2025] – CVE identifier assigned

[23/07/2025] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-48932 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.