Security
Headlines
HeadlinesLatestCVEs

Headline

InstantCMS 2.16.1 Cross Site Scripting

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

Packet Storm
#xss#vulnerability#web#windows#google#git#php#auth
# Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution