CI4MS CodeIgniter 4-Based CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises because the application does not properly sanitize user input when creating or editing blog tags. This allows an attacker to inject a malicious JavaScript payload into the tag name, which is then stored on the server. The injected payload is later rendered unsafely on public tag pages and administrative interfaces, lacking proper output encoding. As a result, the vulnerability leads to the execution of arbitrary JavaScript in the context of the user’s browser.

Impact

Exploitation of this vulnerability allows for persistent stored cross-site scripting, where the injected payload executes automatically when the tag is viewed. This could lead to a full account takeover, especially if the victim has administrative privileges, and a complete compromise of the application.

Reproduction

To reproduce this vulnerability, access the Blog Tags management page. Create or edit a tag by inserting an XSS payload, such as an image tag with an 'onerror' event. After saving the tag, the injected payload will execute automatically when the tag is rendered on a public blog page or in the administrative interface.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched.