Mass Message Feature XSS Vulnerability: Potential Session Hijacking in instantsoft/icms2

Valid

Reported on

Oct 9th 2023


the Cross-Site Scripting (XSS) vulnerability occurs in the "mass message" feature. This flaw allows an attacker, who has administrative access, to impersonate any user by sending a message containing malicious scripts to all users. When unsuspecting users click on or interact with this message, the embedded script can be executed, potentially compromising their session data or performing other malicious activities.

.

To reproduce the vulnerability:

.

Login as an administrator.

.

Navigate to the "Users" section.

.

Access Create pm messages

.

image

.

Craft an XSS payload. For demonstration purposes, I used the following payload: <script>alert(document.cookie);</script>

.

insert the payload in "Message text" area

.

select "How to send a message" -> "As a private message"

.

Send the message as any user to all users. (notice that here you have the option to send as any user that exists on the platform)

.

image

.

A recipient user then opens their direct messages (DMs) and clicks on the chat containing the malicious message. Upon clicking, the JavaScript payload is executed, showcasing the vulnerability.

.

image

.

While administrators typically possess elevated privileges to manage and configure the CMS, it is essential that these privileges do not extend to compromising the integrity and confidentiality of individual user sessions. An admin's role is to manage and maintain the platform, not to access personal or session-specific data of users. Allowing an admin, or any user, to inject malicious code that can steal session data blurs the line between administrative control and user privacy. This not only jeopardizes user trust but also exposes the system to potential misuse by any rogue admin or an attacker who gains administrative access. In essence, even administrators should be subjected to robust security measures that uphold the principle of least privilege, ensuring they only access what's necessary for system management and not users' private data or sessions.

Impact

By exploiting this vulnerability, a malicious actor could potentially steal session cookies or execute other harmful scripts affecting all users. I recommend that the input validation and output encoding measures be reviewed and strengthened for this feature to mitigate the risk of this vulnerability.

.

While it might be tempting to downplay the severity of this vulnerability due to its reliance on administrative access, it's crucial to recognize that any security flaw, irrespective of its point of origin, poses a risk. Administrators, while trusted, should not have the capability to compromise user sessions. Additionally, if an attacker gains administrative access, either through social engineering, weak passwords, or another vulnerability, they can exploit this flaw to target all users. Essentially, the vulnerability's existence represents a potential breach of trust and an avenue for escalated malicious activity, affirming its validity and the need for its rectification.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 4 months ago
Gabriel Vernilo modified the report
4 months ago
Gabriel Vernilo modified the report
4 months ago
Gabriel Vernilo modified the report
4 months ago
Gabriel Vernilo modified the report
4 months ago
Gabriel Vernilo modified the report
4 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 4 months ago
Gabriel Vernilo
4 months ago

Researcher


any updates?

Fuze
4 months ago

Maintainer


This is the administrative part of the site. If an attacker gains access to it, there is no need to use XSS. I can formally accept this report and exclude script tags from the specified form. But there are other forms in the admin area where you can do the same. There is no point in looking for XSS in the admin.

Gabriel Vernilo
4 months ago

Researcher


I appreciate your perspective on the elevated privileges of the admin panel. However, even within such a privileged environment, it's crucial to ensure actions are restricted to their intended purposes. Vulnerabilities, even in the admin area, can be components of more complex attack chains, especially when combined with other exploits. Additionally, insider threats could exploit these vulnerabilities without drawing the same attention that direct misuse of admin powers might. Addressing even minor vulnerabilities in the admin panel not only enhances our overall security posture but also signals a comprehensive commitment to robust security practices. I kindly request that, at the very least, this vulnerability be acknowledged and accepted as a low-severity issue to reflect its potential implications.

Fuze validated this vulnerability 4 months ago
gabriel-vernilo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Gabriel Vernilo
4 months ago

Researcher


thanks :)

Fuze marked this as fixed in 2.16.2-git with commit 1d9205 2 months ago
Fuze has been awarded the fix bounty
This vulnerability has now been published 2 months ago
to join this conversation