Self XSS in "Content Types / Add Content Type" in instantsoft/icms2


Reported on

Aug 8th 2023


Add payload to field System name:

<img src=x onerror=alert(window.origin)>

Proof of Concept


An attacker could perform unauthorized actions in the context of the victim's browser.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 4 months ago
Chiencp modified the report
4 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 4 months ago
instantsoft/icms2 maintainer validated this vulnerability 4 months ago

It does not provide a threat. But thanks anyway, we'll fix it!

Chiencp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit ddf7ac 4 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
instantsoft/icms2 maintainer published this vulnerability 4 months ago
to join this conversation