CVE-2024-50348: Stored XSS Vulnerability in InstantCMS

Author
Updated: December 24th, 2024
1 min read
stored-xss-instantcms

Product Name: InstantCMS
Vulnerability: Stored XSS
Vulnerable Version: 2.16.2 & <2.16.2
CVE: CVE-2024-50348

The researchers from Astra’s security team, on November 6, 2024, found a Stored Cross-Site Scripting (XSS) in InstantCMS, a free and open-source CMS that allows you to build websites. The vulnerability was identified in the photo album page’s photo upload function.

A stored XSS vulnerability occurs when an application allows malicious user input, is stored without proper sanitization, and is accessible to other application users.

CVE-2024-50348: Technical Breakdown

How Was It Discovered?

While testing on the demo app, Astra’s security researchers discovered that the uploaded images were not properly sanitized,d allowing the injection of malicious scripts along with the images.

During the analysis, the <img> tag was used to embed the uploaded images with the XSS payload using the onerror attribute.

How To Recreate This Vulnerability?

Inject Payload

Insert the following payload in the Camera Model Name metadata field:

test<img src="asd" onerror="alert(1)">

Submit Request

Upload the image on the photo upload page

Observer Rendering

Impact of Stored XSS

Session Hijacking

Once the image is injected, attackers can target users who visit the affected page and steal sensitive user session information like cookies and session tokens, leading to account takeovers.

Malware Propagation

The attackers can leverage the stored XSS vulnerability to deploy malware or ransomware. Once the payload is stored, malicious scripts affect any vulnerable page user.

Website Defacement

Malicious scripts can modify the content on web pages, presenting misleading information or making it hard for users to identify malicious content and engage with it.

It is one small security loophole v/s your entire website or web application.

Get your web app audited with
Astra’s Continuous Pentest Solution.

character

Current Status

Once the vulnerability was found, researchers notified the development team of InstantCMS, who then acknowledged the vulnerability in versions <2.16.3 of the application. This issue was mitigated by sanitizing the uploaded images and clearing the metadata in their update in v2.16.3.

What Can You Do?

To avoid potential exploitation, users are strongly advised to update InstantCMS to the latest version, which includes essential security patches.