External Control of System or Configuration Setting in instantsoft/icms2

Vulnerability

CVE-2023-4704 is an external control of system or configuration setting vulnerability in instantsoft/icms2 versions prior to 2.16.1-git. The issue resides in the messaging system, where the application fails to prevent a user from adding themselves as a contact or sending messages to themselves. Additionally, the HTML sanitization function sanitizeHTML is not called in certain code paths, such as in setEditor and setFullpageOnInit, allowing unsanitized HTML to be processed. The commit bc22d89691fdaf38055eba13dda8d959b16fa731 addresses these flaws by adding checks to forbid self-contact and ensuring sanitization is applied consistently [1][2].

Exploitation

An attacker with a valid user account on the icms2 instance can exploit this vulnerability by sending a message to themselves, which bypasses the contact existence check. Furthermore, by crafting a message with malicious HTML content, the attacker can leverage the missing sanitization in the editor functions to inject arbitrary HTML or JavaScript. The attack requires no special privileges beyond a standard user account and can be performed remotely via the web interface [1][2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML or JavaScript into the application, leading to cross-site scripting (XSS) attacks. This can result in information disclosure, session hijacking, or other client-side attacks against other users who view the crafted content. The vulnerability does not directly lead to remote code execution but compromises the confidentiality and integrity of user data [1][2].

Mitigation

The vulnerability is fixed in version 2.16.1-git, released on or after the commit date of September 1, 2023. Users should upgrade to this version or later. There are no known workarounds for earlier versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].