# Exploit Title: Invision Community <= 4.7.20 (calendar/view.php) - SQL Injection
# Google Dork: N/A
# Date: 23 July 2025
# Exploit Author: Egidio Romano
# LinkedIn: N/A
# Vendor Homepage: https://invisioncommunity.com
# Software Link: https://invisioncommunity.com
# Version: Certain 4.x versions before 4.7.21
# Tested on: Invision Community <= 4.7.20
# CVE: CVE-2025-48932
## Vulnerability Description
The vulnerability is located within the `/applications/calendar/modules/front/calendar/view.php` script. Specifically, in the `IPS\calendar\modules\front\calendar\view::search()` method, user input passed through the `location` request parameter is not properly sanitized before being used to construct a SQL query. This can be exploited by remote, unauthenticated attackers to, for example, read sensitive data from the database through boolean-based SQL Injection attacks. Successful exploitation of this vulnerability requires the "calendar" application to be installed and a "GeoLocation feature" (like Google Maps) to be configured.
**NOTE:** SQL Injection vulnerabilities in Invision Community 4.x might lead to admin account takeover and RCE attacks, by resetting the admin's password. However, starting from version 4.7.18, a new security encryption key has been introduced within the password reset mechanism. As such, this attack vector won't work anymore with versions >= 4.7.18.
## Proof of Concept
https://karmainsecurity.com/pocs/CVE-2025-48932.php
## Solution
Upgrade to version 4.7.21 or later.
## Disclosure Timeline
- [16/05/2025] - Vendor notified
- [27/05/2025] - Version 4.7.21 released
- [28/05/2025] - CVE identifier requested
- [28/05/2025] - CVE identifier assigned
- [23/07/2025] - Public disclosure
## CVE Reference
The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-48932 to this vulnerability.
## Credits
Vulnerability discovered by Egidio Romano.
## Original Advisory
http://karmainsecurity.com/KIS-2025-06
