Search criteria
21 vulnerabilities by InstantCMS
CVE-2025-59055 (GCVE-0-2025-59055)
Vulnerability from cvelistv5 – Published: 2025-09-11 18:46 – Updated: 2025-09-11 19:10
VLAI?
Summary
InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server's real IP if it's behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available.
Severity ?
4.7 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | icms2 |
Affected:
<= 2.17.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59055",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T19:02:26.134051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T19:10:51.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icms2",
"vendor": "instantsoft",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.17.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server\u0027s real IP if it\u0027s behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T18:46:29.139Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-79hh-mhvg-whrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-79hh-mhvg-whrw"
},
{
"name": "https://github.com/instantsoft/icms2/commit/fa997bdab3429fad0c850966bfacbcb96d5ab041",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/instantsoft/icms2/commit/fa997bdab3429fad0c850966bfacbcb96d5ab041"
}
],
"source": {
"advisory": "GHSA-79hh-mhvg-whrw",
"discovery": "UNKNOWN"
},
"title": "InstantCMS vulnerable to Server-Side Request Forgery via package installer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59055",
"datePublished": "2025-09-11T18:46:29.139Z",
"dateReserved": "2025-09-08T16:19:26.173Z",
"dateUpdated": "2025-09-11T19:10:51.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-10051 (GCVE-0-2013-10051)
Vulnerability from cvelistv5 – Published: 2025-08-01 20:41 – Updated: 2025-11-20 23:31
VLAI?
Summary
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.
Severity ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstantCMS | InstantCMS |
Affected:
* , ≤ 1.6
(semver)
|
Credits
Ricardo Jorge Borges de Almeida
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2013-10051",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T14:45:34.300173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T14:46:57.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/26622"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"search view handler"
],
"product": "InstantCMS",
"vendor": "InstantCMS",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instantcms:instantcms:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.6",
"versionStartIncluding": "*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ricardo Jorge Borges de Almeida"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of \u003ccode\u003eeval()\u003c/code\u003e within the \u003ccode\u003esearch\u003c/code\u003e view handler. Specifically, user-supplied input passed via the \u003ccode\u003elook\u003c/code\u003e parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the \u003ccode\u003eCmd\u003c/code\u003e header, resulting in arbitrary PHP code execution within the context of the web server.\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T23:31:54.804Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/instantcms_exec.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/26622"
},
{
"tags": [
"exploit"
],
"url": "https://packetstorm.news/files/id/122176"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/instantcms-remote-php-code-execution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "InstantCMS \u003c= 1.6 Remote PHP Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2013-10051",
"datePublished": "2025-08-01T20:41:38.540Z",
"dateReserved": "2025-08-01T15:08:19.335Z",
"dateUpdated": "2025-11-20T23:31:54.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50348 (GCVE-0-2024-50348)
Vulnerability from cvelistv5 – Published: 2024-10-29 22:25 – Updated: 2024-10-30 13:13
VLAI?
Summary
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | icms2 |
Affected:
< 2.16.3
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantcms:icms2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icms2",
"vendor": "instantcms",
"versions": [
{
"lessThan": "2.16.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50348",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T13:11:41.901398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T13:13:20.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icms2",
"vendor": "instantsoft",
"versions": [
{
"status": "affected",
"version": "\u003c 2.16.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T22:25:19.138Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-f6cf-jg84-fw29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-f6cf-jg84-fw29"
},
{
"name": "https://github.com/instantsoft/icms2/commit/e02de2fa1850bb40c9b2050b9256c838a0ea7aa3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/instantsoft/icms2/commit/e02de2fa1850bb40c9b2050b9256c838a0ea7aa3"
}
],
"source": {
"advisory": "GHSA-f6cf-jg84-fw29",
"discovery": "UNKNOWN"
},
"title": "InstantCMS has a Cross Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50348",
"datePublished": "2024-10-29T22:25:19.138Z",
"dateReserved": "2024-10-22T17:54:40.957Z",
"dateUpdated": "2024-10-30T13:13:20.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31213 (GCVE-0-2024-31213)
Vulnerability from cvelistv5 – Published: 2024-04-05 14:43 – Updated: 2024-08-02 01:46
VLAI?
Summary
InstantCMS is a free and open source content management system. An open redirect was found in the ICMS2 application version 2.16.2 when being redirected after modifying one's own user profile. An attacker could trick a victim into visiting their web application, thinking they are still present on the ICMS2 application. They could then host a website stating "To update your profile, please enter your password," upon which the user may type their password and send it to the attacker. As of time of publication, a patched version is not available.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | icms2 |
Affected:
< 2.16.2
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantsoft:instantcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "instantcms",
"vendor": "instantsoft",
"versions": [
{
"lessThanOrEqual": "2.16.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T18:35:03.892458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T16:20:08.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-6v3c-p92q-prfq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-6v3c-p92q-prfq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icms2",
"vendor": "instantsoft",
"versions": [
{
"status": "affected",
"version": "\u003c 2.16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InstantCMS is a free and open source content management system. An open redirect was found in the ICMS2 application version 2.16.2 when being redirected after modifying one\u0027s own user profile. An attacker could trick a victim into visiting their web application, thinking they are still present on the ICMS2 application. They could then host a website stating \"To update your profile, please enter your password,\" upon which the user may type their password and send it to the attacker. As of time of publication, a patched version is not available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T14:43:06.893Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-6v3c-p92q-prfq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-6v3c-p92q-prfq"
}
],
"source": {
"advisory": "GHSA-6v3c-p92q-prfq",
"discovery": "UNKNOWN"
},
"title": "InstantCMS Open Redirect vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31213",
"datePublished": "2024-04-05T14:43:06.893Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-08-02T01:46:04.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31212 (GCVE-0-2024-31212)
Vulnerability from cvelistv5 – Published: 2024-04-04 23:02 – Updated: 2024-08-02 01:46
VLAI?
Summary
InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model `filterFunc` function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The `period` should be escaped before inserting it in the query. As of time of publication, a patched version is not available.
Severity ?
6.7 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | icms2 |
Affected:
= 2.16.2
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantcms:icms2:2.16.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icms2",
"vendor": "instantcms",
"versions": [
{
"status": "affected",
"version": "2.16.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T00:00:40.930646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T00:02:15.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw"
},
{
"name": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190"
},
{
"name": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744"
},
{
"name": "https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icms2",
"vendor": "instantsoft",
"versions": [
{
"status": "affected",
"version": "= 2.16.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InstantCMS is a free and open source content management system. A SQL injection vulnerability affects instantcms v2.16.2 in which an attacker with administrative privileges can cause the application to execute unauthorized SQL code. The vulnerability exists in index_chart_data action, which receives an input from user and passes it unsanitized to the core model `filterFunc` function that further embeds this data in an SQL statement. This allows attackers to inject unwanted SQL code into the statement. The `period` should be escaped before inserting it in the query. As of time of publication, a patched version is not available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-04T23:02:38.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-qx95-w566-73fw"
},
{
"name": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/controllers/admin/actions/index_chart_data.php#L190"
},
{
"name": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/instantsoft/icms2/blob/4691a1524780e74107f6009b48d91e17a81b0fa1/system/core/model.php#L744"
},
{
"name": "https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png",
"tags": [
"x_refsource_MISC"
],
"url": "https://user-images.githubusercontent.com/109034767/300806111-a33d9548-d99f-4034-bef3-fbd7fa62c37f.png"
}
],
"source": {
"advisory": "GHSA-qx95-w566-73fw",
"discovery": "UNKNOWN"
},
"title": "SQL injection in index_chart_data action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31212",
"datePublished": "2024-04-04T23:02:38.775Z",
"dateReserved": "2024-03-29T14:16:31.900Z",
"dateUpdated": "2024-08-02T01:46:04.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4928 (GCVE-0-2023-4928)
Vulnerability from cvelistv5 – Published: 2023-09-13 00:00 – Updated: 2024-09-25 17:12
VLAI?
Summary
SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/cb72cc17-5a0d-4392-9a5f-a13aa773de9e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/3a6b148fa2c943ee7647e0cd14bf68e026b15548"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantcms:icms2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icms2",
"vendor": "instantcms",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4928",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T17:11:20.485802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T17:12:50.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T00:00:20.370Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/cb72cc17-5a0d-4392-9a5f-a13aa773de9e"
},
{
"url": "https://github.com/instantsoft/icms2/commit/3a6b148fa2c943ee7647e0cd14bf68e026b15548"
}
],
"source": {
"advisory": "cb72cc17-5a0d-4392-9a5f-a13aa773de9e",
"discovery": "EXTERNAL"
},
"title": "SQL Injection in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4928",
"datePublished": "2023-09-13T00:00:20.370Z",
"dateReserved": "2023-09-13T00:00:07.468Z",
"dateUpdated": "2024-09-25T17:12:50.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4879 (GCVE-0-2023-4879)
Vulnerability from cvelistv5 – Published: 2023-09-10 17:53 – Updated: 2024-09-26 15:32
VLAI?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1.-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/7df6b167-3c39-4563-9b8a-33613e25cf27"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/d0aeeaf5979fbdbf80dc3a3227d6c58442ab7487"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T15:32:00.340165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:32:29.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1.-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-10T17:53:35.787Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/7df6b167-3c39-4563-9b8a-33613e25cf27"
},
{
"url": "https://github.com/instantsoft/icms2/commit/d0aeeaf5979fbdbf80dc3a3227d6c58442ab7487"
}
],
"source": {
"advisory": "7df6b167-3c39-4563-9b8a-33613e25cf27",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4879",
"datePublished": "2023-09-10T17:53:35.787Z",
"dateReserved": "2023-09-10T17:53:27.193Z",
"dateUpdated": "2024-09-26T15:32:29.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4878 (GCVE-0-2023-4878)
Vulnerability from cvelistv5 – Published: 2023-09-10 17:49 – Updated: 2024-09-26 15:25
VLAI?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/655c4f77-04b2-4220-bfaf-a4d99fe86703"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/d0aeeaf5979fbdbf80dc3a3227d6c58442ab7487"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T15:25:06.500816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:25:50.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-10T17:49:08.351Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/655c4f77-04b2-4220-bfaf-a4d99fe86703"
},
{
"url": "https://github.com/instantsoft/icms2/commit/d0aeeaf5979fbdbf80dc3a3227d6c58442ab7487"
}
],
"source": {
"advisory": "655c4f77-04b2-4220-bfaf-a4d99fe86703",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4878",
"datePublished": "2023-09-10T17:49:08.351Z",
"dateReserved": "2023-09-10T17:48:55.305Z",
"dateUpdated": "2024-09-26T15:25:50.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4704 (GCVE-0-2023-4704)
Vulnerability from cvelistv5 – Published: 2023-09-01 09:55 – Updated: 2024-10-01 13:12
VLAI?
Summary
External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
8.8 (High)
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4a54134d-df1f-43d4-9b14-45f023cd654a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/bc22d89691fdaf38055eba13dda8d959b16fa731"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4704",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T13:12:25.975913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T13:12:36.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15 External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-01T09:55:29.640Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4a54134d-df1f-43d4-9b14-45f023cd654a"
},
{
"url": "https://github.com/instantsoft/icms2/commit/bc22d89691fdaf38055eba13dda8d959b16fa731"
}
],
"source": {
"advisory": "4a54134d-df1f-43d4-9b14-45f023cd654a",
"discovery": "EXTERNAL"
},
"title": "External Control of System or Configuration Setting in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4704",
"datePublished": "2023-09-01T09:55:29.640Z",
"dateReserved": "2023-09-01T09:55:18.697Z",
"dateUpdated": "2024-10-01T13:12:36.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4654 (GCVE-0-2023-4654)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:05
VLAI?
Summary
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.
Severity ?
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/56432a75-af43-4b1a-9307-bd8de568351b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4654",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:05:36.376574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:05:45.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:44.025Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/56432a75-af43-4b1a-9307-bd8de568351b"
},
{
"url": "https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592"
}
],
"source": {
"advisory": "56432a75-af43-4b1a-9307-bd8de568351b",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4654",
"datePublished": "2023-08-31T00:00:44.025Z",
"dateReserved": "2023-08-31T00:00:38.656Z",
"dateUpdated": "2024-10-01T18:05:45.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4655 (GCVE-0-2023-4655)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:06
VLAI?
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/e2189ad5-b665-4ba5-b6c4-112e58ae9a97"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/a6a30e7bc96cd2081707388046c0259870533da6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4655",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:06:09.447251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:06:17.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:42.783Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/e2189ad5-b665-4ba5-b6c4-112e58ae9a97"
},
{
"url": "https://github.com/instantsoft/icms2/commit/a6a30e7bc96cd2081707388046c0259870533da6"
}
],
"source": {
"advisory": "e2189ad5-b665-4ba5-b6c4-112e58ae9a97",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4655",
"datePublished": "2023-08-31T00:00:42.783Z",
"dateReserved": "2023-08-31T00:00:38.716Z",
"dateUpdated": "2024-10-01T18:06:17.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4651 (GCVE-0-2023-4651)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:41
VLAI?
Summary
Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1.
Severity ?
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.625Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/beba9b98-2a5c-4629-987d-b67f47ba9437"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/a6bf758de0b3242b0c0e4b47a588aae0c94305b0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:41:41.039410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:41:52.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:19.707Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/beba9b98-2a5c-4629-987d-b67f47ba9437"
},
{
"url": "https://github.com/instantsoft/icms2/commit/a6bf758de0b3242b0c0e4b47a588aae0c94305b0"
}
],
"source": {
"advisory": "beba9b98-2a5c-4629-987d-b67f47ba9437",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4651",
"datePublished": "2023-08-31T00:00:19.707Z",
"dateReserved": "2023-08-31T00:00:06.697Z",
"dateUpdated": "2024-10-01T18:41:52.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4650 (GCVE-0-2023-4650)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 19:24
VLAI?
Summary
Improper Access Control in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
4.7 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/d92e8985-9d9d-4a62-92e8-ada014ee3b17"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/78ff8ca066e86a65ff35470b5622be3aa7d2f928"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4650",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T19:24:08.320447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T19:24:19.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:19.835Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/d92e8985-9d9d-4a62-92e8-ada014ee3b17"
},
{
"url": "https://github.com/instantsoft/icms2/commit/78ff8ca066e86a65ff35470b5622be3aa7d2f928"
}
],
"source": {
"advisory": "d92e8985-9d9d-4a62-92e8-ada014ee3b17",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4650",
"datePublished": "2023-08-31T00:00:19.835Z",
"dateReserved": "2023-08-31T00:00:06.615Z",
"dateUpdated": "2024-10-01T19:24:19.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4653 (GCVE-0-2023-4653)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:21
VLAI?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/e0bf7e95-fc8c-4fd4-8575-8b46b9431c6d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/7e9d79818bd52dfa7811d5978c72785054c65242"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4653",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:20:45.797823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:21:38.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:19.557Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/e0bf7e95-fc8c-4fd4-8575-8b46b9431c6d"
},
{
"url": "https://github.com/instantsoft/icms2/commit/7e9d79818bd52dfa7811d5978c72785054c65242"
}
],
"source": {
"advisory": "e0bf7e95-fc8c-4fd4-8575-8b46b9431c6d",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4653",
"datePublished": "2023-08-31T00:00:19.557Z",
"dateReserved": "2023-08-31T00:00:07.077Z",
"dateUpdated": "2024-10-01T18:21:38.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4649 (GCVE-0-2023-4649)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:37
VLAI?
Summary
Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1.
Severity ?
4.3 (Medium)
CWE
- CWE-384 - Session Fixation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/069bb1f3-0805-480d-a6e1-b3345cdc60f3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4649",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:34:27.127122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:37:20.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:19.715Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/069bb1f3-0805-480d-a6e1-b3345cdc60f3"
},
{
"url": "https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592"
}
],
"source": {
"advisory": "069bb1f3-0805-480d-a6e1-b3345cdc60f3",
"discovery": "EXTERNAL"
},
"title": "Session Fixation in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4649",
"datePublished": "2023-08-31T00:00:19.715Z",
"dateReserved": "2023-08-31T00:00:06.465Z",
"dateUpdated": "2024-10-01T18:37:20.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4652 (GCVE-0-2023-4652)
Vulnerability from cvelistv5 – Published: 2023-08-31 00:00 – Updated: 2024-10-01 18:00
VLAI?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
6.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/7869e4af-fad9-48c3-9e4f-c949e54cbb41"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/7a7e57e77f12f36d0e96be6d5b9066389372dbcd"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:00:24.198998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:00:44.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T00:00:19.459Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/7869e4af-fad9-48c3-9e4f-c949e54cbb41"
},
{
"url": "https://github.com/instantsoft/icms2/commit/7a7e57e77f12f36d0e96be6d5b9066389372dbcd"
}
],
"source": {
"advisory": "7869e4af-fad9-48c3-9e4f-c949e54cbb41",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4652",
"datePublished": "2023-08-31T00:00:19.459Z",
"dateReserved": "2023-08-31T00:00:06.863Z",
"dateUpdated": "2024-10-01T18:00:44.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4381 (GCVE-0-2023-4381)
Vulnerability from cvelistv5 – Published: 2023-08-16 11:02 – Updated: 2024-10-03 13:37
VLAI?
Summary
Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
4.3 (Medium)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/666c2617-e3e9-4955-9c97-2f8ed5262cc3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/58f8b9941b53b606a1b15a4364005cd2b1965507"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T13:37:25.241649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T13:37:37.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-16T11:02:27.189Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/666c2617-e3e9-4955-9c97-2f8ed5262cc3"
},
{
"url": "https://github.com/instantsoft/icms2/commit/58f8b9941b53b606a1b15a4364005cd2b1965507"
}
],
"source": {
"advisory": "666c2617-e3e9-4955-9c97-2f8ed5262cc3",
"discovery": "EXTERNAL"
},
"title": "Unverified Password Change in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4381",
"datePublished": "2023-08-16T11:02:27.189Z",
"dateReserved": "2023-08-16T11:02:13.354Z",
"dateUpdated": "2024-10-03T13:37:37.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4189 (GCVE-0-2023-4189)
Vulnerability from cvelistv5 – Published: 2023-08-05 19:17 – Updated: 2024-10-09 18:33
VLAI?
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/b00e6986-64e7-464e-ba44-e42476bfcdc4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantsoft:instantcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "instantcms",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:00:33.840839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:33:19.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T19:17:54.146Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/b00e6986-64e7-464e-ba44-e42476bfcdc4"
},
{
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"source": {
"advisory": "b00e6986-64e7-464e-ba44-e42476bfcdc4",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4189",
"datePublished": "2023-08-05T19:17:54.146Z",
"dateReserved": "2023-08-05T19:17:42.658Z",
"dateUpdated": "2024-10-09T18:33:19.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4188 (GCVE-0-2023-4188)
Vulnerability from cvelistv5 – Published: 2023-08-05 19:10 – Updated: 2024-10-09 18:41
VLAI?
Summary
SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/fe9809b6-40ad-4e81-9197-a9aa42e8a7bf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantsoft:instantcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "instantcms",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4188",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:00:47.298702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:41:52.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T19:10:37.764Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/fe9809b6-40ad-4e81-9197-a9aa42e8a7bf"
},
{
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"source": {
"advisory": "fe9809b6-40ad-4e81-9197-a9aa42e8a7bf",
"discovery": "EXTERNAL"
},
"title": "SQL Injection in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4188",
"datePublished": "2023-08-05T19:10:37.764Z",
"dateReserved": "2023-08-05T19:10:26.889Z",
"dateUpdated": "2024-10-09T18:41:52.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4187 (GCVE-0-2023-4187)
Vulnerability from cvelistv5 – Published: 2023-08-05 17:17 – Updated: 2024-10-09 18:44
VLAI?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instantsoft | instantsoft/icms2 |
Affected:
unspecified , < 2.16.1-git
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/14941381-b669-4756-94fc-cce172472f8b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instantsoft:instantcms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "instantcms",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4187",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:01:03.161551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:44:07.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "instantsoft/icms2",
"vendor": "instantsoft",
"versions": [
{
"lessThan": "2.16.1-git",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-05T17:17:59.755Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/14941381-b669-4756-94fc-cce172472f8b"
},
{
"url": "https://github.com/instantsoft/icms2/commit/1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f"
}
],
"source": {
"advisory": "14941381-b669-4756-94fc-cce172472f8b",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in instantsoft/icms2"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4187",
"datePublished": "2023-08-05T17:17:59.755Z",
"dateReserved": "2023-08-05T17:17:48.217Z",
"dateUpdated": "2024-10-09T18:44:07.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14382 (GCVE-0-2018-14382)
Vulnerability from cvelistv5 – Published: 2018-07-18 15:00 – Updated: 2024-08-05 09:29
VLAI?
Summary
InstantCMS 2.10.1 has /redirect?url= XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:29:51.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/instantsoft/icms2/issues/892"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "InstantCMS 2.10.1 has /redirect?url= XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-18T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/instantsoft/icms2/issues/892"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "InstantCMS 2.10.1 has /redirect?url= XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/instantsoft/icms2/issues/892",
"refsource": "MISC",
"url": "https://github.com/instantsoft/icms2/issues/892"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14382",
"datePublished": "2018-07-18T15:00:00",
"dateReserved": "2018-07-18T00:00:00",
"dateUpdated": "2024-08-05T09:29:51.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}