CVE-2021-39249

Vulnerability

Invision Community (aka IPS Community Suite or IP-Board) versions 4.6.5 and older have a reflected cross-site scripting (XSS) vulnerability in the attachment handling mechanism. When a user uploads a file, IP-Board generates a filename by appending an MD5 hash derived from the PHP mt_rand function. Because mt_rand is seeded predictably (typically with the server's time at process start), an attacker can brute-force or guess the generated hash for a given uploaded file, making the final URL predictable. This allows an attacker to craft a link that, when visited by an authenticated user, executes arbitrary JavaScript in the context of the victim's session. The affected versions are IP-Board 4.6.5 and earlier [1].

Exploitation

An attacker must first upload a file (e.g., an HTML or SVG attachment) to the forum. The uploaded file's original name is retained, but a seemingly random MD5 hash is appended by IP-Board using a seed derived from mt_rand. Because the seed is weak and can be brute-forced on the same server shortly after the upload, the attacker can determine the exact final URL of the uploaded file. The attacker then sends a crafted link to a logged-in victim; when the victim clicks the link, the uploaded file's content (which may contain malicious JavaScript) is executed in the victim's browser. The attacker does not need high privileges; any registered user who can upload files can initiate the attack. User interaction (clicking the link) is required. The predictable filename enables this reflected XSS without needing to inject into a page directly [1].

Impact

Successful exploitation allows an attacker to execute JavaScript in the context of the victim's session. The attacker could steal session cookies, impersonate the victim, perform actions on their behalf, or potentially escalate to remote code execution if a stored XSS chain is used (as noted in the reference). The impact ranges from information disclosure (session tokens, private messages) to full account takeover, and potentially server-side compromise if combined with other vulnerabilities [1].

Mitigation

The vendor released a fix in IP-Board version 4.6.5.1, which changes the filename generation to use a cryptographically secure random value instead of mt_rand. Users should upgrade to 4.6.5.1 or later immediately. No workarounds are documented, but administrators can restrict file upload permissions to trusted users as a partial interim measure. This vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].