CVE-2021-3025

Name of the Vulnerable Software and Affected Versions Invision Community IPS Community Suite versions prior to 4.5.4.2

Description The issue allows SQL Injection via the Downloads REST API, specifically through the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php.

Recommendations For versions prior to 4.5.4.2, update to version 4.5.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the applications/downloads/api/files.php endpoint or disabling the GETindex() method until a patch is available. Avoid using the sortDir parameter in the affected API endpoint until the issue is resolved.