Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages_builder::previewBlock method interacts unsafely with the IPS_Theme::runProcessFunction method.
CPE | Name | Operator | Version |
---|---|---|---|
ips_community_suite | lt | 4.6.0 |