CI4MS CodeIgniter CMS Stored DOM-Based Cross-Site Scripting Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the Menu Management functionality, where user-controlled input is not properly sanitized when adding Pages to navigation menus. This unsanitized data is stored server-side and rendered without adequate output encoding, allowing malicious JavaScript payloads to execute when the menu is displayed in administrative interfaces or public-facing sites. The vulnerability can lead to full account takeover, especially if the payload is executed by an administrator.

Impact

Exploitation of this vulnerability allows for persistent stored DOM-based cross-site scripting, where injected JavaScript executes in the context of the user viewing the menu. This could escalate privileges if an administrator or privileged user is affected, potentially leading to a complete takeover of the administrator account and, consequently, all accounts across different roles via the navigation menu.

Reproduction

To reproduce this vulnerability, navigate to the Menu Management section and use the Pages functionality to add a page containing a JavaScript payload, such as an image tag with an 'onerror' event. After saving the menu entry, the payload will execute automatically when the menu is rendered in the administrative panel or on any public-facing page.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. Additionally, implement general XSS protections such as Content Security Policy (CSP) and ensure proper input sanitization and output encoding.