CVE-2021-3025

Vulnerability

A SQL injection vulnerability exists in the Downloads REST API of Invision Community IPS Community Suite versions before 4.5.4.2. The flaw resides in the GETindex() method within applications/downloads/api/files.php. When the sortBy parameter is set to popular, the sortDir parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL statements [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the Downloads REST API endpoint with a malicious sortDir parameter. No authentication is required, and the attack can be performed remotely over the network [1]. The specific steps involve manipulating the sortDir value to include SQL injection payloads, which are then executed by the database backend.

Impact

Successful exploitation enables an attacker to execute arbitrary SQL queries against the underlying database. This can lead to unauthorized access to sensitive data, modification or deletion of database records, and potentially full compromise of the application and its data [1]. The attacker gains the ability to read, write, or alter any information stored in the database, depending on the database user's privileges.

Mitigation

The vulnerability is fixed in version 4.5.4.2 of IPS Community Suite. Users should upgrade to this version or later immediately. No official workaround has been provided, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].