Store XSS in module name "admin/controllers/edit/comments/comments_list" in instantsoft/icms2


Reported on

Aug 8th 2023


I noticed that you filtered the comment very carefully.

But there are still some parts you missed

Proof of Concept

1.Login with admin

2.go to ""

3.Select 1 comment and insert payload

     <image src=1 href=1 onerror="alert(document.cookie)"></image>

4.Click save , and store xss happened

5.Then, login another admin account, go to comments, detect store xss

Video PoC


This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
haido modified the report
a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer
a month ago


Yes, this is confirmed and needs to be corrected. But you should realize that this is an admin panel, and if an attacker gets there, he can do anything without any XSS :) But thanks anyway, we confirm it, we'll fix it, and we'll write about the solution here.

a month ago


hi,so my report is still eligible for the reward, right

instantsoft/icms2 maintainer modified the Severity from Critical (9.8) to Medium (5.9) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability a month ago
haido has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer gave praise a month ago
Thanks, looking forward to more reports ;-)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 7e9d79 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
instantsoft/icms2 maintainer
a month ago


This is a problem in the third-party editor used in InstantCMS

a month ago


Great, thank you so much

instantsoft/icms2 maintainer published this vulnerability 22 days ago
to join this conversation