Cross-site Scripting (XSS) - Reflected in instantsoft/icms2

Vulnerability

Reflected Cross-Site Scripting (XSS) exists in instantsoft/icms2 prior to version 2.16.1-git. The vulnerability occurs in at least two locations: the tags autocomplete endpoint where the term parameter is used without proper sanitization before being reflected in output, and the menu tree node generation where the title parameter is not HTML-encoded. An attacker can inject arbitrary JavaScript through these unsanitized parameters, leading to reflected XSS. [1]

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the vulnerable parameter (e.g., term in the tags autocomplete AJAX request) and trick a victim user into clicking the link. No authentication is required for successful exploitation as these endpoints are accessible to unauthenticated users. The payload executes in the context of the victim's browser session on the affected domain. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially stealing session cookies, redirecting the user to malicious sites, or performing actions on behalf of the victim. This can lead to complete compromise of the victim's account and data exposure. [1]

Mitigation

The issue has been fixed in commit 1dbc3e6, which is included in version 2.16.1-git. Users should upgrade to this version or later. For users unable to upgrade, applying the specific patch that adds html() encoding to the title output and strip_tags() to the term parameter will mitigate the attack surface. No workaround is available other than upgrading or patching. [1]