IPS Community Suite versions 4.5.4.2 and below suffer from a PHP code injection vulnerability. The vulnerability exists because the IPS\cms\modules\front\pages\_builder::previewBlock() method allows to pass arbitrary content to the IPS\_Theme::runProcessFunction() method, which will be used in a call to the eval() PHP function. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permission to manage the sidebar (such as a Moderator or Administrator) and the “cms” application to be enabled.
You May Also Like
How Ready Are You for a Ransomware Attack?
Oliver Tavakoli, CTO at Vectra, lays out the different layers of ransomware…
- cybersecurityredflag_sdevzw
- August 19, 2021
Blackbaud Pays After Ransomware Attack
Blackbaud, one of the largest providers of fundraising technology to nonprofits, universities,…
- cybersecurityredflag_sdevzw
- July 30, 2020
iFunbox 4.2 Unquoted Service Path
iFunbox version 4.2 suffers from an unquoted service path vulnerability.
- cybersecurityredflag_sdevzw
- June 18, 2021
WordPress Modern Events Calendar Remote Code Execution
This Metasploit module allows an attacker with a privileged WordPress account to…
- cybersecurityredflag_sdevzw
- July 26, 2021