CI4MS CodeIgniter 4-Based CMS Stored DOM Cross-Site Scripting Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the System Settings – Social Media Management section, where multiple configuration fields allow the injection of attacker-controlled input. This input is stored server-side and rendered without proper output encoding, enabling the execution of malicious scripts. Unlike typical stored cross-site scripting vulnerabilities that execute on public-facing pages, this issue manifests immediately on the same settings page, breaking out of the input attribute context and executing in the browser of the user managing the settings.

Impact

Exploitation of this vulnerability leads to persistent stored cross-site scripting, with immediate execution on the same page. This allows for the execution of arbitrary JavaScript in the context of the affected user, and in cases where an administrator is compromised, it could result in a full account takeover and platform compromise.

Reproduction

To reproduce this vulnerability, navigate to the System Settings -> Social Media Management. Inject a JavaScript payload, such as an image tag with an 'onerror' event, into the Social Media or Social Media Link fields. After saving the settings, the payload will execute immediately on the same page, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched.