XSS at file uploading in instantsoft/icms2


Reported on

Aug 14th 2023


In menu Add page, there is a upload file function and xss payload can be injected there.


1/ Access to the web demo and go to Add page menu.

2/ At upload file function, upload an file with filename is a payload xss.

3/ It will be triggered immediately.

Proof of Concept

Payload: "><img src=x onerror=alert(origin)>

Link video PoC: https://drive.google.com/file/d/1bgbbkTGhkKEYSVuQIyw58eKYjrW6pVc_/view?usp=sharing


Impact of Reflected XSS:

1/ The attacker can hijack user accounts.

2/ An attacker could steal credentials.

3/ An attacker could exfiltrate sensitive data.

4/ An attacker can steal cookies and Sessions.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 4 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 4 months ago
Fuze validated this vulnerability 4 months ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fuze marked this as fixed in 2.16.1 with commit a6a30e 4 months ago
Fuze has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
Fuze gave praise 4 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
4 months ago


Thank you too

Fuze published this vulnerability 3 months ago
to join this conversation