CI4MS CodeIgniter CMS Stored DOM-Based Cross-Site Scripting Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises in the Page Management functionality, where user-controlled input is not properly sanitized when creating or editing pages. Multiple input fields allow the injection of JavaScript payloads, which are stored server-side and later rendered without adequate output encoding. This flaw enables the execution of injected scripts in the context of the user’s browser.

Impact

Exploitation of this vulnerability allows for persistent stored cross-site scripting, where injected JavaScript executes automatically in the browsers of administrators, authenticated users, and unauthenticated visitors. This could lead to privilege escalation when viewed by administrators or privileged users, allowing for a full takeover of an administrator account and, consequently, a full compromise of the entire application.

Reproduction

To reproduce this vulnerability, navigate to the Page Management section and select 'Add Page'. Inject a JavaScript payload, such as an image tag with an 'onerror' event, into any of the page-related fields. After saving or publishing the page, the injected payload will execute when the page is viewed in the administrative page list or on the public-facing site.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched.