Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30661 is a Reflected Cross-Site Scripting (XSS) vulnerability found in iCMS version 8.0.0, specifically in the User Management module within the file app/user/views/index.html.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the application directly inserts the GET parameters 'regip' and 'loginip' into HTML input elements' value attributes without proper sanitization or escaping."}, {'type': 'paragraph', 'content': "This improper handling allows attackers to inject arbitrary HTML or JavaScript code by breaking out of the value attribute context, enabling execution of malicious scripts in the administrator's browser."}, {'type': 'paragraph', 'content': "For example, an attacker can craft a URL that includes a script tag in the 'regip' parameter, which when accessed, executes the injected script."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several impacts including:'}, {'type': 'list_item', 'content': "Execution of arbitrary JavaScript in the administrator's browser."}, {'type': 'list_item', 'content': 'Redirecting administrators to malicious websites.'}, {'type': 'list_item', 'content': 'Performing Cross-Site Request Forgery (CSRF) actions via injected JavaScript.'}, {'type': 'list_item', 'content': 'Displaying phishing forms to steal administrator credentials.'}, {'type': 'paragraph', 'content': 'Although cookie theft via document.cookie is mitigated by the HttpOnly flag in this version, other significant XSS impacts remain possible.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the User Management component of iCMS v8.0.0, specifically by checking if the regip or loginip GET parameters are improperly reflected in the HTML without sanitization.'}, {'type': 'paragraph', 'content': "A practical detection method is to craft a URL with a script injection payload in the regip or loginip parameters and observe if the script executes in the administrator's browser."}, {'type': 'paragraph', 'content': 'For example, you can use curl or a browser to request a URL like:'}, {'type': 'list_item', 'content': 'http://<target-host>/admincp.php?app=user&regip=\\"><script>alert(1)</script>'}, {'type': 'paragraph', 'content': 'If the alert box appears or the script executes, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to sanitize the input parameters regip and loginip before outputting them into the HTML.'}, {'type': 'paragraph', 'content': 'Specifically, apply escaping functions such as htmlspecialchars() in PHP to these parameters to prevent injection of arbitrary HTML or JavaScript.'}, {'type': 'paragraph', 'content': 'For example, modify the code to:'}, {'type': 'list_item', 'content': '<input type="text" ... value="<?php echo htmlspecialchars($_GET[\'regip\']); ?>" />'}, {'type': 'paragraph', 'content': 'This ensures special characters are escaped and script injection is prevented.'}] [1]

Useful 0 Not Useful 0