icms2

Valid

Reported on

Aug 8th 2023

Description

I noticed that you filtered the comment very carefully.

But there are still some parts you missed

Proof of Concept

1.Login with admin

2.go to "https://demo.instantcms.io/admin/controllers/edit/comments/comments_list"

3.Select 1 comment and insert payload

     <image src=1 href=1 onerror="alert(document.cookie)"></image>

4.Click save , and store xss happened

5.Then, login another admin account, go to comments, detect store xss

Video PoC

https://drive.google.com/file/d/12s7byrrIusDs4npsSosusb-WXoPGUrc-/view?usp=drive_link

Impact

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

haido modified the report

a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

A instantsoft/icms2 maintainer

commented a month ago

Maintainer

Yes, this is confirmed and needs to be corrected. But you should realize that this is an admin panel, and if an attacker gets there, he can do anything without any XSS :) But thanks anyway, we confirm it, we'll fix it, and we'll write about the solution here.

haido

commented a month ago

Researcher

hi,so my report is still eligible for the reward, right

A instantsoft/icms2 maintainer modified the Severity from Critical (9.8) to Medium (5.9) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A instantsoft/icms2 maintainer validated this vulnerability a month ago

haido has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A instantsoft/icms2 maintainer gave praise a month ago

Thanks, looking forward to more reports ;-)

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 7e9d79 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Aug 31st 2023

A instantsoft/icms2 maintainer

commented a month ago

Maintainer

This is a problem in the third-party editor used in InstantCMS

haido

commented a month ago

Researcher

Great, thank you so much

A instantsoft/icms2 maintainer published this vulnerability 22 days ago

to join this conversation

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

haido modified the report

a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

A instantsoft/icms2 maintainer

commented a month ago

Maintainer

haido

commented a month ago

Researcher

hi,so my report is still eligible for the reward, right

A instantsoft/icms2 maintainer modified the Severity from Critical (9.8) to Medium (5.9) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A instantsoft/icms2 maintainer validated this vulnerability a month ago

haido has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A instantsoft/icms2 maintainer gave praise a month ago

Thanks, looking forward to more reports ;-)

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 7e9d79 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Aug 31st 2023

A instantsoft/icms2 maintainer

commented a month ago

Maintainer

This is a problem in the third-party editor used in InstantCMS

haido

commented a month ago

Researcher

Great, thank you so much

A instantsoft/icms2 maintainer published this vulnerability 22 days ago

to join this conversation