Predictable Filename Brute-Force XSS Vulnerability in Invision Community

Predictable Filename Brute-Force XSS Vulnerability in Invision Community

CVE-2021-39249 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows reflected XSS because the filenames of uploaded files become predictable through a brute-force attack against the PHP mt_rand function.

Learn more about our Web Application Penetration Testing UK.