Authentication cookie is not renewed after successfully login in instantsoft/icms2


Reported on

Aug 14th 2023


ICMS62EC2566CC4B5 cookie is still same after log in. The value is not changed or renewed.


1/ Access to the web demo and user browser's dev tool to check the cookie.

2/ Observe the value of ICMS62EC2566CC4B5 cookie, try to log in and it is still the same.

Proof of Concept

Link video PoC:


A successful session fixation attack gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer validated this vulnerability a month ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fuze marked this as fixed in 2.16.1 with commit ca5f15 a month ago
Fuze has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
Fuze published this vulnerability 22 days ago
to join this conversation