CVE-2021-39249: XSS
First published: Tue Aug 17 2021(Updated: )
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Invisioncommunity Invision Power Board | <4.6.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-39249?
CVE-2021-39249 is a vulnerability in Invision Community (aka IPS Community Suite or IP-Board) before version 4.6.5.1 that allows for reflected XSS attacks.
How does CVE-2021-39249 occur?
CVE-2021-39249 occurs when the filenames of uploaded files in Invision Community become predictable through a brute-force attack against the PHP mt_rand function.
What is the severity of CVE-2021-39249?
CVE-2021-39249 has a severity level of medium (6.1).
How can I fix CVE-2021-39249?
To fix CVE-2021-39249, update Invision Community to version 4.6.5.1 or higher.
Are there any references for CVE-2021-39249?
Yes, you can find more information about CVE-2021-39249 at the following references: [Link1](https://invisioncommunity.com/release-notes/4651-r102/), [Link2](https://ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/).
- collector/nvd-index
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/invisioncommunity
- canonical/invisioncommunity invision power board