CI4MS Methods Management Stored DOM-Based Cross-Site Scripting Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the Methods Management functionality, where user-controlled input is not properly sanitized before being stored server-side. Multiple input fields allow the injection of JavaScript payloads, which are later rendered in administrative interfaces and global navigation components without adequate encoding. This flaw enables the execution of malicious scripts across all pages where the affected method appears in the menu, posing a significant risk of account takeover, especially for administrators.

Impact

Exploitation of this vulnerability leads to persistent stored DOM-based cross-site scripting, with automatic execution of injected JavaScript across multiple application pages. This could result in a full account takeover, particularly for users with administrative privileges, allowing for a complete compromise of the application.

Reproduction

To reproduce this vulnerability, navigate to the Methods Management section and create a new method. Inject a JavaScript payload, such as an image tag with an 'onerror' event, into the 'Page Name' field or any other vulnerable input field. Once the method is saved, the injected payload will execute automatically on any backend page where the malicious method appears in the menu, triggering the cross-site scripting across all pages with the navigation rendered.

Remediation

Users are advised to update to version 0.31.0.0 or later. Additionally, implement server-side input validation and sanitization, ensure strict output encoding before rendering user input, and conduct a security review of all navigation rendering logic to prevent similar vulnerabilities.