CVE-2025-47916 Scanner
CVE-2025-47916 Scanner - Remote Code Execution (RCE) vulnerability in Invision Community
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
16 days 7 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Invision Community is a popular software platform used for building online communities, forums, and social media networks. It is widely used by businesses, organizations, and individual users globally to create interactive websites and engage with audiences online. The software offers a range of features including user profiles, discussion boards, chat systems, and media sharing. With a customizable and extendable architecture, Invision Community allows developers to create tailored solutions for specific community needs. The platform is employed in industries such as education, gaming, customer support, and more for efficient online interaction. Its ease of use and adaptability make it a preferred choice for creating dynamic online spaces.
The detected vulnerability in Invision Community involves a remote code execution (RCE) issue that arises from a flaw in template injection handling. This vulnerability allows unauthenticated remote attackers to inject and execute arbitrary PHP code. The issue is due to an unsecured method in the themeeditor.php controller, which improperly processes crafted template strings. By exploiting this vulnerability, attackers can gain full control over the compromised system. This critical flaw affects versions 5.0.0 to 5.0.6 of Invision Community, posing a severe security risk. Organizations running susceptible versions need to prioritize remediation to prevent malicious exploitation.
The core of the vulnerability lies in the themeeditor.php controller within the Invision Community software. A protected method, customCss, is exploitable by passing crafted template strings via the content parameter. When these crafted strings are processed, they allow unauthorized execution of arbitrary PHP code. Specifically, this occurs in the Theme::makeProcessFunction() method, where an attacker can inject payloads that are executed by the template engine. The vulnerability enables attackers to manipulate system behavior without authentication. Such a flaw necessitates immediate attention and patching to safeguard against potential attacks.
The exploitation of this vulnerability can lead to severe consequences, including but not limited to, a complete system takeover by unauthorized individuals. Attackers can execute arbitrary code, potentially leading to data theft, system downtime, and compromise of confidential information. Additionally, exploiting this vulnerability could facilitate further attacks within the network, impacting other connected systems. Organizations could face reputational damage, financial losses, and legal implications. To mitigate such risks, it is imperative to apply security patches and updates promptly.
REFERENCES