CVE-2024-50348

EUVD-2024-44833
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
instantcmsinstantcms
𝑥
< 2.16.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
instantcmsicms2
𝑥
< 2.16.3
ADP
Common Weakness Enumeration
References
https://github.com/instantsoft/icms2/commit/e02de2fa1850bb40c9b2050b9256c838a0ea7aa3
https://github.com/instantsoft/icms2/security/advisories/GHSA-f6cf-jg84-fw29