CI4MS CodeIgniter 4-Based CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises because the application does not properly sanitize user input when creating or editing blog post categories. This lack of input validation allows an attacker to inject a malicious JavaScript payload into the category content, which is then stored on the server. When the categories are viewed through blog posts, the injected script is executed without proper output encoding, leading to the cross-site scripting vulnerability. This issue has been patched in version 0.31.0.0.

Impact

Exploitation of this vulnerability leads to persistent stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the blog post categories. This could result in privilege escalation if viewed by administrators or privileged users, allowing for a full account takeover. Additionally, it could compromise the entire application through the cross-site scripting in the categories.

Reproduction

To reproduce this vulnerability, navigate to the Categories section of the blog management panel. Create a new category or edit an existing one, and insert a JavaScript payload, such as an image tag with an error event handler, into the category content. After saving the category, the injected script will execute automatically when the category is viewed in the blog posts.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. Additionally, it is recommended to avoid using methods that allow innerHTML-style input in PHP applications, as they can be exploited to inject scripts. Implementing Content Security Policy (CSP), and setting cookies as HttpOnly, SameSite, and Secure can also help mitigate the risks associated with cross-site scripting vulnerabilities.