{"id":36794,"date":"2024-12-24T03:37:07","date_gmt":"2024-12-23T22:07:07","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=36794"},"modified":"2024-12-24T04:04:50","modified_gmt":"2024-12-23T22:34:50","slug":"cve-2024-50348-stored-xss-vulnerability-in-instantcms","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2024-50348-stored-xss-vulnerability-in-instantcms\/","title":{"rendered":"CVE-2024-50348: Stored XSS Vulnerability in InstantCMS"},"content":{"rendered":"<div class=\"gb-container gb-container-103ab313\">\n\n<p class=\"wp-block-paragraph\"><strong>Product Name:<\/strong> InstantCMS<br><strong>Vulnerability:<\/strong> Stored XSS<br><strong>Vulnerable Version: <\/strong>2.16.2 &amp; &lt;2.16.2<br><strong>CVE:<\/strong> CVE-2024-50348<\/p>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The researchers from Astra\u2019s security team, on November 6, 2024, found a Stored Cross-Site Scripting (XSS) in InstantCMS, a free and open-source CMS that allows you to build websites. The vulnerability was identified in the photo album page&#8217;s photo upload function.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A <a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\" target=\"_blank\" rel=\"noopener\">stored XSS vulnerability<\/a> occurs when an application allows malicious user input, is stored without proper sanitization, and is accessible to other application users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"CVE-2024-50348_Technical_Breakdown\"><\/span><strong>CVE-2024-50348: Technical Breakdown<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How Was It Discovered?<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">While testing on the demo app, Astra&#8217;s security researchers discovered that the uploaded images were not properly sanitized,d allowing the injection of malicious scripts along with the images.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During the analysis, the <code>&lt;img><\/code> tag was used to embed the uploaded images with the XSS payload using the <code>onerror<\/code> attribute.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How To Recreate This Vulnerability?<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Inject Payload<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Insert the following payload in the Camera Model Name metadata field:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>test&lt;img src=\"asd\" onerror=\"alert(1)\"><\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Submit Request<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Upload the image on the photo upload page<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Observer Rendering<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visit the <a href=\"https:\/\/demo.instantcms.io\/photos\/camera-%7Bpayload%7D\" target=\"_blank\" rel=\"noopener\">https:\/\/demo.instantcms.io\/photos\/camera-{payload}<\/a><\/li>\n\n\n\n<li>The error occurs, and you can observe the immediate execution of the injected XSS payload.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Impact_of_Stored_XSS\"><\/span><strong>Impact of Stored XSS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Session Hijacking<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Once the image is injected, attackers can target users who visit the affected page and steal sensitive user session information like cookies and session tokens, leading to account takeovers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Malware Propagation<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The attackers can leverage the stored XSS vulnerability to deploy malware or ransomware. Once the payload is stored, malicious scripts affect any vulnerable page user.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Website Defacement<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Malicious scripts can modify the content on web pages, presenting misleading information or making it hard for users to identify malicious content and engage with it.<\/p>\n\n\n\n<style>\n\n.astraPentestWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2024\/08\/838dc804-smallimgicbg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: auto;\n  border-radius: 10px;\n  margin: 20px 0px; \n}\n\n.pentestHeading{\n  color: #575757;\n  font-size: 24px;\n  font-weight: 600;\n  color: #575757;\n  max-width: 450px;\n}\n\n.ctaHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n\n.ctaOne {\n    text-decoration: none;\n    background-color: #2F76F8;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n\n.animeImg{\n  position: absolute;\n  bottom: 0px;\n  right: -20px;\n  height: 250px;\n  width: 240px;\n}\n\n@media(max-width: 768px){\n\n}\n\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n\n   .animeImg{\n    position: relative;\n    bottom: 0px;\n    height: 220px;\n    width: 220px;\n  }\n}\n\n<\/style>\n\n<div class=\"astraPentestWrap\">\n  <p class=\"pentestHeading\">It is one small security loophole v\/s <span class=\"spanBoldBlue\">your entire website or web application.<\/span><\/p>\n  <p style=\"font-size: 16px; line-height: 1.5;\">Get your web app audited with <br \/> Astra\u2019s Continuous Pentest Solution.<\/p>\n\n  <div class=\"ctaHead\">\n    <a href=\"https:\/\/www.getastra.com\/pentest\/features\" class=\"ctaOne\">Explore Features<\/a>\n\n    <a href=\"https:\/\/www.getastra.com\/contact-us?tab=pentest_sales&#038;utm_source=blog&#038;utm_medium=organic&#038;utm_campaign=pentest\" class=\"ctaTwo \">Schedule a meeting<\/a>\n\n\n  <\/div>\n\n  <img decoding=\"async\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" class=\"animeImg\" \/>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Current_Status\"><\/span><strong>Current Status<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Once the vulnerability was found, researchers notified the development team of InstantCMS, who then acknowledged the vulnerability in versions &lt;2.16.3 of the application. This issue was mitigated by sanitizing the uploaded images and clearing the metadata in their update in v2.16.3.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Can_You_Do\"><\/span><strong>What Can You Do?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To avoid potential exploitation, users are strongly advised to update <a href=\"https:\/\/github.com\/instantsoft\/icms2\" target=\"_blank\" rel=\"noopener\">InstantCMS<\/a> to the latest version, which includes essential security patches.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product Name: InstantCMSVulnerability: Stored XSSVulnerable Version: 2.16.2 &amp; &lt;2.16.2CVE: CVE-2024-50348 The researchers from Astra\u2019s security team, on November 6, 2024, found a Stored Cross-Site Scripting (XSS) in InstantCMS, a free and open-source CMS that allows you to build websites. The vulnerability was identified in the photo album page&#8217;s photo upload function. A stored XSS vulnerability &#8230; <a title=\"CVE-2024-50348: Stored XSS Vulnerability in InstantCMS\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2024-50348-stored-xss-vulnerability-in-instantcms\/\" aria-label=\"Read more about CVE-2024-50348: Stored XSS Vulnerability in InstantCMS\">Read more<\/a><\/p>\n","protected":false},"author":121,"featured_media":36795,"comment_status":"open","ping_status":"0","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[723],"tags":[],"class_list":["post-36794","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/36794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=36794"}],"version-history":[{"count":2,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/36794\/revisions"}],"predecessor-version":[{"id":36802,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/36794\/revisions\/36802"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/36795"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=36794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=36794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=36794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}