Product Name: InstantCMS
Vulnerability: Stored XSS
Vulnerable Version: 2.16.2 & <2.16.2
CVE: CVE-2024-50348
The researchers from Astra’s security team, on November 6, 2024, found a Stored Cross-Site Scripting (XSS) in InstantCMS, a free and open-source CMS that allows you to build websites. The vulnerability was identified in the photo album page’s photo upload function.
A stored XSS vulnerability occurs when an application allows malicious user input, is stored without proper sanitization, and is accessible to other application users.
CVE-2024-50348: Technical Breakdown
How Was It Discovered?
While testing on the demo app, Astra’s security researchers discovered that the uploaded images were not properly sanitized,d allowing the injection of malicious scripts along with the images.
During the analysis, the <img>
tag was used to embed the uploaded images with the XSS payload using the onerror
attribute.
How To Recreate This Vulnerability?
Inject Payload
Insert the following payload in the Camera Model Name metadata field:
test<img src="asd" onerror="alert(1)">
Submit Request
Upload the image on the photo upload page
Observer Rendering
- Visit the https://demo.instantcms.io/photos/camera-{payload}
- The error occurs, and you can observe the immediate execution of the injected XSS payload.
Impact of Stored XSS
Session Hijacking
Once the image is injected, attackers can target users who visit the affected page and steal sensitive user session information like cookies and session tokens, leading to account takeovers.
Malware Propagation
The attackers can leverage the stored XSS vulnerability to deploy malware or ransomware. Once the payload is stored, malicious scripts affect any vulnerable page user.
Website Defacement
Malicious scripts can modify the content on web pages, presenting misleading information or making it hard for users to identify malicious content and engage with it.
It is one small security loophole v/s your entire website or web application.
Get your web app audited with
Astra’s Continuous Pentest Solution.
Current Status
Once the vulnerability was found, researchers notified the development team of InstantCMS, who then acknowledged the vulnerability in versions <2.16.3 of the application. This issue was mitigated by sanitizing the uploaded images and clearing the metadata in their update in v2.16.3.
What Can You Do?
To avoid potential exploitation, users are strongly advised to update InstantCMS to the latest version, which includes essential security patches.