CVE-2024-30163
Published: 07 June 2024
Summary
CVE-2024-30163 is a critical-severity SQL Injection (CWE-89) vulnerability in Invisioncommunity Invisioncommunity. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-30163 is a SQL injection vulnerability in Invision Community versions prior to 4.7.16. The flaw resides in the _categoryView() method of applications/nexus/modules/front/store/store.php, where the filter request parameter is passed directly into SQL queries without adequate sanitization, enabling CWE-89 injection.
Unauthenticated remote attackers can exploit the issue over the network to perform blind SQL injection. Successful exploitation grants full read, write, and delete access to the underlying database, corresponding to the CVSS 9.8 rating that reflects no required authentication, privileges, or user interaction.
The vendor addressed the flaw in the 4.7.16 release, as noted in the official Invision Community release notes. Public full-disclosure posts on Seclists reference the same patch version for remediation.
The associated EPSS score has remained stable at its peak value of 0.4637 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28099
Vulnerability details
Invision Community before 4.7.16 allow SQL injection via the applications/nexus/modules/front/store/store.php IPS\nexus\modules\front\store\_store::_categoryView() method, where user input passed through the filter request parameter is not properly sanitized before being used to execute SQL queries. This can be exploited by unauthenticated attackers to…
more
carry out Blind SQL Injection attacks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.