We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Misconfiguration in message sending function in instantsoft/icms2

Valid

Reported on

Aug 10th 2023

Description

Web application misconfiguration in messaging function. This vulnerability results in a user's messages being automatically sent to all other users. This results in the user's information potentially being exposed

Proof of Concept

link video Poc https://drive.google.com/file/d/1eXQXJAeIJ0KVWAKRUeBtvgNZzHW_3la_/view?usp=sharing

Steps

1 . Login to admin account with chorme browser and login to demo account with another browser

2 . Using demo account send message to admin then intercept request with burpsuite and send request to burp repeater for editing

3 . Then fix the contact_id value with 3 , which is the id value of the demo account, let the demo account send messages to itself

4 . After sending a message to yourself, when the demo account sends a message to a certain user, the system will automatically send a message to all users.

Impact

This vulnerability results in a user's messages being automatically sent to all other users. This results in the user's information potentially being exposed

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer modified the Severity from Critical (10) to High (8.8) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability a month ago

Not exactly as you described, but yes, there is a problem. The PoC needs to be supplemented: Send request /messages/write/3 - here initially substitute id with your own. To create a contact where contact_id and user_id are equal. Thank you for your attention. p.s. the demo version is InstantCMS 2.15.2.

Trunggg02 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer gave praise a month ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit bc22d8 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
instantsoft/icms2 maintainer published this vulnerability a month ago
Trunggg02
a month ago

Researcher

Can you specify cve for this error

Trunggg02
a month ago

Researcher

Hello can you please assign it a CVE.

Thank you very much.

Trunggg02
a month ago

Researcher

@instantsoft/icms2 Hi, can you please specify a CVE for this vulnerability. It's necessary for my work

instantsoft/icms2 maintainer
a month ago

Maintainer

Hello I don't know how to edit now. There is no such item in the action menu. If you can tell me how to do it again, I will.

Fuze
a month ago

Maintainer

Sorry, there's probably no way to re-assign CVEs after committing changes. But if you know it is possible, please let me know.

Trunggg02
a month ago

Researcher

@admin can you solve this problem?

Fuze
a month ago

Maintainer

@admin Please attach a CVE, with a date of August 31st

Ben Harvie
a month ago

Admin

Fuze, would you like the CVE assigned and published on the 31st of August?

Fuze
a month ago

Maintainer

Yes

Trunggg02
21 days ago

Researcher

@admin I have not yet received a CVE for this vulnerability

Trunggg02
21 days ago

Researcher

@Fuze I have not yet received a CVE for this vulnerability

Fuze
20 days ago

Maintainer

I can't influence it

Ben Harvie
20 days ago

Admin

A CVE has now been assigned as requested.

Trunggg02
20 days ago

Researcher

OK thank

to join this conversation