Cookie without Secure flag in instantsoft/icms2


Reported on

Aug 14th 2023


There is a ICMS62EC2566CC4B5 cookie without Secure flag and this is authentication cookie.

Proof of Concept

Link photo PoC:


If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope.

An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.


Set it true.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
Chuu submitted a
a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer modified the Severity from Medium (4.3) to Low (2.6) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability a month ago

Thank you for your interest in the project. It is not possible to just install in true, because InstantCMS can be installed inside the network, consciously without https protocol. We will fix it differently, more universally.

Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer gave praise a month ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Fuze marked this as fixed in 2.16.1 with commit ca5f15 a month ago
Fuze has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
user.php#L571 has been validated
a month ago


thank you too

Fuze published this vulnerability 22 days ago
to join this conversation