CI4MS CodeIgniter 4-Based CMS Stored Cross-Site Scripting Vulnerability in Mail Settings

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the System Settings – Mail Settings section, where several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, fail to properly sanitize user-controlled input. This unsanitized input is stored server-side and later rendered without adequate output encoding, allowing for the injection of malicious JavaScript payloads. Unlike typical cross-site scripting vulnerabilities that execute on landing pages, this issue manifests as same-page DOM-based XSS, executing immediately on the Mail Settings page and potentially leading to full account takeover and platform compromise.

Impact

Exploitation of this vulnerability allows for persistent stored cross-site scripting, with the injected payload executing immediately on the same settings page. This exploitation occurs in the context of the authenticated user managing Mail Settings, potentially leading to administrative privilege escalation and full account takeover across all roles.

Reproduction

To reproduce this vulnerability, navigate to the System Settings -> Mail Settings. Insert a JavaScript payload into any of the Mail Settings fields, such as the Mail Server or Email Address. After saving the settings, the payload will break out of the input attribute context and execute immediately on the same page.

Remediation

Users are advised to update to version 0.31.0.0 or later. Additionally, input sanitization and proper HTML encoding should be applied to all configuration fields. It is also recommended to enforce Content Security Policy, HttpOnly, SameSite, and Secure flags for cookies to mitigate the impact of cross-site scripting and potential cross-site request forgery escalation.