CI4MS CodeIgniter 4-Based CMS Blind Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises from the application's failure to properly sanitize user-controlled input during backup uploads and metadata processing. An attacker can exploit this by injecting a malicious JavaScript payload into the backup filename via an uploaded SQL file. This payload is then executed in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting. The vulnerability allows for privilege escalation and full account takeover when the injected payload is executed in the context of an administrator or privileged user.

Impact

Exploitation of this vulnerability leads to stored blind cross-site scripting, where injected JavaScript payloads are executed in the browsers of users with administrative or privileged access. This can result in a full takeover of the administrator account and all other roles, compromising the entire application.

Reproduction

To reproduce this vulnerability, upload a crafted SQL file named 'xss.sql' through the backup upload feature. The SQL file should be designed to execute and insert a JavaScript payload, such as an image tag with an 'onerror' event, into the backup filename field. After uploading, navigate to the backup management panel as an administrator and view the uploaded backup entry. The injected XSS payload will execute automatically, demonstrating the blind cross-site scripting vulnerability.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. Additionally, implement general XSS prevention measures such as input sanitization, output encoding, and applying Content Security Policy (CSP) headers.