SQL injection in index_chart_data action
Description
InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model filterFunc function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The period should be escaped before inserting it in the query. As of time of publication, a patched version is not available.
Affected products
2- Range: =2.16.2
- Range: = 2.16.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `index_chart_data` action allows user-supplied `period` input to be passed unsanitized into an SQL statement via the `filterFunc` function."
Attack vector
An attacker with administrative privileges sends a crafted POST request to the `/admin/index_chart_data` endpoint with a malicious `interval` parameter containing SQL injection payloads [ref_id=1]. The request must include a valid session cookie, the `X-Requested-With: XMLHttpRequest` header, and `Content-Type: application/x-www-form-urlencoded; charset=UTF-8` [ref_id=1]. The unsanitized input flows into the `filterFunc` function, which embeds it directly into an SQL statement, allowing the attacker to execute arbitrary SQL code [ref_id=1].
Affected code
The vulnerability is in the `index_chart_data` action, which receives user input and passes it unsanitized to the core model `filterFunc` function, which embeds the data directly into an SQL statement [ref_id=1]. The `period` parameter is the specific input that should be escaped before being inserted into the query [ref_id=1]. No patch files are available in the bundle.
What the fix does
As of the time of publication, no patched version is available [ref_id=1]. The advisory states that the `period` parameter should be escaped before being inserted into the query to prevent SQL injection [ref_id=1]. The fix would involve sanitizing or parameterizing the user-supplied input in the `index_chart_data` action before passing it to the `filterFunc` function.
Preconditions
- authAttacker must have administrative privileges on the InstantCMS instance
- authAttacker must have a valid session cookie
- inputThe request must include X-Requested-With: XMLHttpRequest header
- inputThe request must use Content-Type: application/x-www-form-urlencoded
Reproduction
1. Log in to InstantCMS using an account with administrative privileges and copy the session cookie. 2. Insert the cookie in the format `NAME=VALUE` and send the following request: `curl -X POST http://instantcms.seclab/admin/index_chart_data -b "COOKIE;" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "id=content§ion=news&interval=SLEEP(3):day"` [ref_id=1]. The server will sleep for 3 seconds before returning the response, confirming the SQL injection [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.phpmitrex_refsource_MISC
- github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.phpmitrex_refsource_MISC
- github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fwmitrex_refsource_CONFIRM
- user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.pngmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.