Invision Community 4.7.15 SQL Injection Vulnerability exploit
An SQL Injection vulnerability has been identified in Invision Community versions 4.4.0 to 4.7.15, specifically within the /applications/nexus/modules/front/store/store.php script. This flaw arises due to improper sanitization of user input through the "filter" request parameter before it is used in SQL queries. Attackers can exploit this vulnerability to perform time-based or error-based Blind SQL Injection attacks, potentially leading to unauthorized access to the Admin Control Panel (AdminCP) and Remote Code Execution (RCE) by resetting user passwords. The issue requires the nexus application to be installed and at least one "Product Group" to be configured. Users are advised to upgrade to version 4.7.16 or later to mitigate this vulnerability, which has been assigned CVE-2024-30163 with a CVSS score of 7.4. The discovery of this vulnerability is credited to Egidio Romano, and a proof of concept is provided for educational purposes. CVEs: CVE-2024-30163, CVE-2024-30162 [View Article](https://sploitus.com/exploit?id=1337DAY-ID-39537)