Headline
CVE-2023-4652: Fixed upload XSS with wrong extension · instantsoft/icms2@7a7e57e
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Expand Up
@@ -285,15 +285,16 @@ private function uploadPackage(){
files_clear_directory(cmsConfig::get(‘upload_path’) . $this->installer_upload_path);
$result = $this->cms_uploader->upload($this->upload_name, $this->upload_exts, 0, $this->installer_upload_path);
$result = $this->cms_uploader->setAllowedMime([
‘application/zip’
])->upload($this->upload_name, $this->upload_exts, 0, $this->installer_upload_path);
if (!$result[‘success’]){
cmsUser::addSessionMessage($result[‘error’], ‘error’);
return false;
}
return $result[‘name’];
}
}