IPS Community Suite 4.5.4.2 PHP Code Injection
Posted by deepcore on June 1, 2021 – 8:11 pm
IPS Community Suite versions 4.5.4.2 and below suffer from a PHP code injection vulnerability. The vulnerability exists because the IPScmsmodulesfrontpages_builder::previewBlock() method allows to pass arbitrary content to the IPS_Theme::runProcessFunction() method, which will be used in a call to the eval() PHP function. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permission to manage the sidebar (such as a Moderator or Administrator) and the “cms” application to be enabled.
Post a reply
You must be logged in to post a comment.