CI4MS CodeIgniter CMS Stored Cross-Site Scripting Vulnerability in Group and Role Management

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises from improper sanitization of user input in group and role management features. Malicious JavaScript payloads can be injected into several group-related input fields, stored on the server, and later executed in the context of privileged administrative views, leading to a full takeover of administrator accounts and the application itself.

Impact

Exploitation of this vulnerability allows for persistent stored cross-site scripting, where injected JavaScript executes automatically in the browsers of administrators viewing the affected group or role management interfaces. This not only escalates privileges but also enables a complete compromise of the application.

Reproduction

To reproduce this vulnerability, navigate to the group or role management page and inject an XSS payload, such as an image tag with an 'onerror' event, into one of the group-related input fields. After saving the changes, view the group or role management page as an administrator to observe the executed payload.

Remediation

Users are advised to update to version 0.31.0.0 or later. Additionally, avoid using methods that allow innerHTML-style JavaScript in PHP applications without proper sanitization. Implement HTML encoding and apply security headers such as Content Security Policy, HttpOnly, SameSite, and Secure to mitigate XSS risks.