Skip to main content

Instantcms CVE-2024-50348

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-10-29 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 29, 2024 - 23:15 nvd
MEDIUM 5.4

DescriptionNVD

InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.

AnalysisAI

InstantCMS is a free and open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3. Affected products include: Instantcms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2013-10051 CRITICAL POC
9.3 Aug 01

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() withi

CVE-2023-4188 CRITICAL POC
9.1 Aug 05

SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated critical severity (CVSS 9.1), this vulne

CVE-2013-6839 HIGH POC
7.5 Dec 13

SQL injection vulnerability in InstantSoft InstantCMS 1.10.3 and earlier allows remote attackers to execute arbitrary SQ

CVE-2024-31212 HIGH POC
7.2 Apr 04

InstantCMS is a free and open source content management system. Rated high severity (CVSS 7.2), this vulnerability is re

CVE-2023-4655 MEDIUM POC
6.1 Aug 31

Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CV

CVE-2018-14382 MEDIUM POC
6.1 Jul 18

InstantCMS 2.10.1 has /redirect?url= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,

CVE-2024-31213 MEDIUM POC
5.4 Apr 05

InstantCMS is a free and open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is

CVE-2023-4878 MEDIUM POC
5.4 Sep 10

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (CV

CVE-2023-4652 MEDIUM POC
5.4 Aug 31

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated medium severity (C

CVE-2023-4651 MEDIUM POC
5.4 Aug 31

Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5

CVE-2023-4649 MEDIUM POC
5.4 Aug 31

Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerab

CVE-2023-4704 MEDIUM POC
4.9 Sep 01

External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git. Rated me

Share

CVE-2024-50348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy