Bounties
Partners
Community
Info
instantsoft / icms2
Project repository
Self-hosted Site Management System
Submit a report
FIRST INTERACTION
WITHIN
19 DAYS
REVIEW
WITHIN
24 DAYS
FIX
WITHIN
22 DAYS
Mass Message Feature XSS Vulnerability: Potential Session Hijacking
Dec 14th 2023
gabriel-vernilo
•
Low
Low
Unnoticed HTML Injection Vulnerability Enables Silent Redirection to Malicious W...
Nov 2nd 2023
ernkw
•
self closed
Email Enumeration On Password Reset Endpoint
Oct 3rd 2023
1d8
•
not applicable
Logout page does not prevent CSRF
Nov 15th 2023
nyeooo
•
Low
Low
logout csrf
Oct 1st 2023
nyeooo
•
self closed
SQL Injection in `icms2/install/index.php`
Oct 1st 2023
ghostdragozn
•
Low
Low
Store XSS in module name "admin/controllers/edit/comments/comments_list"
Jan 4th 2024
ngductung
•
Medium
Medium
No Protection Against Bruteforce Attacks on Login Page
Sep 17th 2023
sospiro014
•
informative
Low
Stored XSS at LOGO+USER menu
Oct 1st 2023
tishamanandhar
•
Low
Low
Store XSS in Widgets and pages in instantsoft/icms2
Oct 1st 2023
sospiro014
•
Low
Low
SQL Injection Vulnerability in Content Page
Sep 13th 2023
ghostdragozn
•
High
High
•
CVE-2023-4928
CVE-2023-4928
Blind XSS Vulnerability
Sep 9th 2023
vipercalling
•
not applicable
No Rate-Limit Protection at all allowing any User to send unlimited Amount of co...
Sep 8th 2023
ahmedvienna
•
not applicable
Incomplete fix for SSRF in CVE-2023-4651
Sep 10th 2023
asesidaa
•
Medium
Medium
•
CVE-2023-4878
CVE-2023-4878
Source code disclosure
Sep 3rd 2023
imsushantkamble
•
not applicable
Store XSS in Notifications Menu
Dec 25th 2023
hainguyen0207
•
Low
Low
Server - Side Request Forgery by unauthorized users
Aug 31st 2023
khoiminhvo32
•
duplicate
Medium
Store XSS in Widgets and pages
Sep 10th 2023
hainguyen0207
•
Low
Low
•
CVE-2023-4879
CVE-2023-4879
Toastr 2.1.0 in use which is vulnerable to XSS
Sep 8th 2023
popcorn94
•
informative
Low
Stored Cross-site Scripting
Aug 18th 2023
newb3ast
•
Low
Low
Sensitive Information leakage in EXIF data of images
Aug 18th 2023
nilabhrajpoot
•
informative
High
Admin TakeOver
Sep 9th 2023
7h3h4ckv157
•
informative
Medium
Cookie without Secure flag
Aug 31st 2023
uonghoangminhchau
•
Low
Low
•
CVE-2023-4654
CVE-2023-4654
Authentication cookie is not renewed after successfully login
Aug 31st 2023
uonghoangminhchau
•
Medium
Medium
•
CVE-2023-4649
CVE-2023-4649
XSS at file uploading
Aug 31st 2023
uonghoangminhchau
•
Medium
Medium
•
CVE-2023-4655
CVE-2023-4655
New password can be set as same as the old password
Aug 16th 2023
uonghoangminhchau
•
Medium
Medium
•
CVE-2023-4381
CVE-2023-4381
By pass rate limit in post likes
Aug 16th 2023
hainguyen0207
•
not applicable
SSRF Blind in the image upload module via url
Aug 31st 2023
trunggg02
•
Medium
Medium
•
CVE-2023-4651
CVE-2023-4651
Misconfiguration in message sending function
Aug 11th 2023
trunggg02
•
High
High
•
CVE-2023-4704
CVE-2023-4704
authorized Admin Account Takeover
Aug 31st 2023
j0x1nx
•
Medium
Medium
•
CVE-2023-4650
CVE-2023-4650
Store XSS via Upload Photos in album
Aug 31st 2023
meme-dm
•
Medium
Medium
•
CVE-2023-4652
CVE-2023-4652
Reflected XSS in module name "My messages"
Aug 9th 2023
hainguyen0207
•
self closed
Store XSS in module name "admin/controllers/edit/comments/comments_list"
Aug 31st 2023
hainguyen0207
•
Medium
Medium
•
CVE-2023-4653
CVE-2023-4653
Reflected XSS in module name "Write a comment"
Aug 9th 2023
hainguyen0207
•
not applicable
Self XSS in "Content Types / Add Content Type"
Aug 9th 2023
meme-dm
•
Medium
Medium
Reflected XSS in URL path of '/admin/controllers/edit/activity/perms/'
Aug 5th 2023
legpains
•
Medium
Medium
•
CVE-2023-4189
CVE-2023-4189
Unauthenticated Blind SQL Injection in '/tags/autocomplete'
Aug 5th 2023
legpains
•
Critical
Critical
•
CVE-2023-4188
CVE-2023-4188
Stored XSS in title
Aug 5th 2023
scgajge12
•
Low
Low
•
CVE-2023-4187
CVE-2023-4187
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Aug 16th 2023
0xdhinu
•
duplicate
Medium
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
