CI4MS CodeIgniter CMS Stored Blind Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS, prior to version 0.31.0.0. The issue arises from the application rendering user-controlled input unsafely in the logs interface. If any stored XSS payload exists within logged data, it is displayed without proper output encoding. This creates a blind XSS scenario, as the attacker does not see immediate execution. Instead, the payload is stored in application logs and executes later when an administrator views the logs page. The vulnerability has been patched in version 0.31.0.0.

Impact

Exploitation of this vulnerability leads to persistent stored blind cross-site scripting, where injected JavaScript executes automatically in the context of an administrator's browser. This could result in privilege escalation and a full takeover of the administrator account, compromising the entire application.

Reproduction

To reproduce this vulnerability, inject a malicious XSS payload into any user-controlled input that is logged by the application, such as through the backend backup restore feature. Once the payload is logged, an administrator can view it in the logs interface, where the XSS payload will execute automatically.

Remediation

Users are advised to update to version 0.31.0.0 or later, where this vulnerability has been patched.