Cross-site Scripting (XSS) - Stored in instantsoft/icms2

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in instantsoft/icms2 versions prior to 2.16.1-git. The flaw resides in the setCode and setCodeIframe methods of the Imperavi Redactor editor component. The editor did not sanitize HTML input before inserting it into the page's DOM, allowing malicious scripts to be stored and executed. Affected versions: all branches before commit 7e9d79818bd52dfa7811d5978c72785054c65242. [1]

Exploitation

An attacker with the ability to submit content through the WYSIWYG editor (e.g., an authenticated user with content creation privileges) can craft HTML containing event handlers such as onmouseover or onclick, or use dangerous attribute values like javascript: in src or href attributes. The injected code is stored in the database and executed when any victim views the affected page. No additional user interaction beyond viewing the page is required. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The compromise occurs at the privilege level of the victim, which could be an administrator or regular user. [2]

Mitigation

The vulnerability is fixed in icms2 version 2.16.1-git and later, released with commit 7e9d798. The fix adds a sanitizeHTML function that strips dangerous attributes (on*, javascript:, data:text/html) from src, href, and xlink:href values before inserting HTML into the editor [1]. Users should upgrade to the patched version immediately. No workaround is available in the references. [1][2]