Cross-site Scripting (XSS) - Stored in instantsoft/icms2

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in instantsoft/icms2 versions prior to 2.16.1-git, as reported in [2]. The vulnerability is in the menu tree node rendering where the title field is output without HTML encoding. An attacker with the ability to create or edit menu items can inject malicious scripts that will be stored and executed when other users view the menu. The fix in commit [1] applies html($item['title'], false) to sanitize the output.

Exploitation

An attacker needs to have the ability to create or modify menu items (e.g., as an administrator or a user with appropriate permissions). The attacker can craft a menu title containing JavaScript payloads (e.g., ``). When the menu is rendered in the admin panel or frontend, the script executes in the context of the victim's browser.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, meaning the payload persists and affects all users who view the affected menu.

Mitigation

The vulnerability is fixed in version 2.16.1-git, released on or around August 2023 [1]. Users should upgrade to this version or later. No workaround is available for older versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.