Cyber Resilience

CVE-2024-30163

CriticalPublic PoC

Published: 07 June 2024

Published
07 June 2024
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4637 97.7th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30163 is a critical-severity SQL Injection (CWE-89) vulnerability in Invisioncommunity Invisioncommunity. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-30163 is a SQL injection vulnerability in Invision Community versions prior to 4.7.16. The flaw resides in the _categoryView() method of applications/nexus/modules/front/store/store.php, where the filter request parameter is passed directly into SQL queries without adequate sanitization, enabling CWE-89 injection.

Unauthenticated remote attackers can exploit the issue over the network to perform blind SQL injection. Successful exploitation grants full read, write, and delete access to the underlying database, corresponding to the CVSS 9.8 rating that reflects no required authentication, privileges, or user interaction.

The vendor addressed the flaw in the 4.7.16 release, as noted in the official Invision Community release notes. Public full-disclosure posts on Seclists reference the same patch version for remediation.

The associated EPSS score has remained stable at its peak value of 0.4637 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Invision Community before 4.7.16 allow SQL injection via the applications/nexus/modules/front/store/store.php IPS\nexus\modules\front\store\_store::_categoryView() method, where user input passed through the filter request parameter is not properly sanitized before being used to execute SQL queries. This can be exploited by unauthenticated attackers to…

more

carry out Blind SQL Injection attacks.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

invisioncommunity
invisioncommunity
4.4.0 — 4.7.16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References