CodeIgniter4 Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CodeIgniter4 version 4.6.0. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the debugbar_time parameter. The injected script is stored on the server and executed when the debug toolbar is viewed, potentially leading to session hijacking or account takeover, especially if an admin or privileged user is targeted.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the debug toolbar. This could lead to session hijacking and account takeover, particularly for admin users.

Reproduction

To reproduce this vulnerability, send a GET request to the debug endpoint with a script tag injected into the debugbar_time parameter. This will create a file on the server named debugbar_<script>alert('XSS')</script>.json, which contains the injected script. Later, when the debug toolbar is viewed with the same parameter, the application reads the file and echoes its contents back to the browser, executing the malicious script.

Remediation

Users are advised to sanitize input, escape output, and restrict access to debug tools in production environments.