CVE-2021-32924

Vulnerability

A PHP code injection vulnerability exists in IPS Community Suite (Invision Community) prior to version 4.6.0. The flaw resides in the IPS\cms\modules\front\pages\_builder::previewBlock method, which unsafely passes attacker-controlled content to the IPS\_Theme::runProcessFunction method, leading to an eval() call. The vulnerability requires the "cms" application to be enabled. Affected versions are 4.5.4.2 and earlier [1].

Exploitation

Successful exploitation requires an account with permission to manage the sidebar, such as a Moderator or Administrator. The attacker must be authenticated with at least moderator-level privileges in the context of the CMS application. The attacker triggers the previewBlock method, which then injects arbitrary PHP code into the eval() call. No special network position or concurrent race window is needed [1].

Impact

An attacker can inject and execute arbitrary PHP code within the context of the web server. This leads to full compromise of the application, including data theft, configuration modification, and potential server takeover. The impact is classified as a high-severity CIA compromise with elevation of privilege to the web server user [1].

Mitigation

Apply the vendor patch or upgrade to version 4.6.0 or later, which was released by the vendor on an undisclosed date in early 2021. There is no known workaround for unpatched systems. No KEV listing has been published. If immediate upgrade is not possible, consider disabling the CMS application or restricting sidebar management permissions to trusted administrators only [1].