CI4MS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue arises because the application does not properly sanitize user input when creating or editing blog posts. This allows an attacker to inject a malicious JavaScript payload into the blog post content, which is then stored on the server. The injected payload is later rendered unsafely in multiple application views without proper output encoding, leading to the execution of arbitrary JavaScript in the context of the user’s browser. This vulnerability can escalate privileges when viewed by administrators or privileged users, potentially allowing for a full account takeover.

Impact

Exploitation of this vulnerability leads to persistent stored cross-site scripting, where injected payloads execute automatically when the affected blog post is viewed. This can result in a full administrator account takeover or a complete account takeover across all roles, compromising the entire application.

Reproduction

To reproduce this vulnerability, go to the blog post creation or editing page. Insert an XSS payload, such as an image tag with an 'onerror' event, into the blog post content. Save or publish the post, and then view it either through the administrative panel or the public blog page. The XSS payload will execute automatically.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. After updating, ensure to back up the database and run 'composer update' before upgrading.