CI4MS Stored Cross-Site Scripting Vulnerability in Blog Category Management

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS, prior to version 0.31.0.0. The issue arises because the application does not properly sanitize user input when creating or editing blog categories. This allows an attacker to inject a malicious JavaScript payload into the category title, which is then stored on the server. The injected payload is later executed unsafely on public-facing blog category pages, administrative interfaces, and blog post views, leading to persistent cross-site scripting. This vulnerability can escalate privileges when viewed by administrators or privileged users, potentially allowing a full account takeover.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected JavaScript executes in the context of the user viewing the affected blog category or post. This could allow an attacker to escalate privileges if the victim has administrative rights, potentially leading to a complete takeover of the administrator account and, consequently, the entire application.

Reproduction

To reproduce this vulnerability, access the blog category management page. Create or edit a category by inserting a JavaScript payload, such as an image tag with an 'onerror' event, into the category title. Save the category, then view the public blog category page, blog post page, or the administrative interface to see the payload execute automatically.

Remediation

Users are advised to update to version 0.31.0.0, where this vulnerability has been patched. After updating, it is recommended to back up the database and run 'composer update' before upgrading.