CVE-2021-39250

Name of the Vulnerable Software and Affected Versions Invision Community versions prior to 4.6.5.1

Description The issue allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).

Recommendations For versions prior to 4.6.5.1, update to version 4.6.5.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability of admins to install widgets and use the templating engine until a patch is applied. Additionally, restrict access to the Edit HTML feature to minimize the risk of exploitation.