Cross-site Scripting (XSS) - Stored in instantsoft/icms2

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the uploadPackage() function of the admin panel in instantsoft/icms2 prior to version 2.16.1-git. The uploader did not validate the MIME type of uploaded files, only checking the file extension. This allowed an attacker to upload a file with a malicious extension (e.g., .html) that could be interpreted as a script when accessed. The vulnerable code is in controllers/admin/actions at line 288, where $this->cms_uploader->upload() was called without MIME restrictions [1].

Exploitation

An attacker with administrative access to the icms2 admin panel can upload a file containing JavaScript code with an extension that bypasses the extension check (e.g., .html). The file is stored on the server and can be accessed by other administrators. When the stored file is viewed or loaded, the embedded script executes in the context of the admin panel, leading to stored XSS.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrator who views the uploaded file. This can lead to session hijacking, theft of sensitive data, or further compromise of the CMS instance. The attack is stored, meaning the malicious payload persists until removed.

Mitigation

The vulnerability is fixed in commit 7a7e57e by restricting allowed MIME types to application/zip using setAllowedMime() [1]. Users should update to version 2.16.1-git or later. No workaround is documented; updating is the recommended action.