CI4MS CodeIgniter CMS Stored DOM-Based Cross-Site Scripting Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the Menu Management functionality, where user-controlled input is not properly sanitized when adding posts to navigation menus. This post-related data is stored server-side and rendered without adequate output encoding, allowing malicious JavaScript payloads to execute when the menu is displayed. The vulnerability can lead to privilege escalation in administrative contexts and a full account takeover across all roles.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, with the payload persisting and executing automatically whenever the menu is rendered. In administrative contexts, this could result in a full takeover of an administrator account.

Reproduction

To reproduce this vulnerability, navigate to the Menu Management section and use the Posts feature to add a post containing a JavaScript payload, such as an image tag with an onerror event. After saving the menu, the payload will execute when the menu is viewed in the administrative panel or on a public-facing page.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. Additionally, it is recommended to avoid using innerHTML-style JavaScript in PHP applications, as this can create real-world XSS exploitation risks. Implementing Content Security Policy (CSP), and setting cookies as HttpOnly, SameSite, and Secure can help mitigate XSS risks and associated escalated Cross-Site Request Forgery (CSRF) vulnerabilities.