Store XSS via Upload Photos in album in instantsoft/icms2


Reported on

Aug 9th 2023


The application does not check the file upload and content file extension. This results in an attacker being able to upload a malicious file that leads to xss.

Proof of Concept

Video POC:


<img src=x onerror=alert("XSS")>


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer validated this vulnerability a month ago
Chiencp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer gave praise a month ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
a month ago


My Pleasure ! Would it be possible to assign a CVE ? Thank you !

instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 7a7e57 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
instantsoft/icms2 maintainer published this vulnerability 22 days ago
to join this conversation