CI4MS CodeIgniter CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton, in versions prior to 31.0.0.0. The issue arises because the application does not properly sanitize user input when profile names are updated. This allows an attacker to inject a malicious JavaScript payload into their profile name, which is then stored on the server. The injected payload is later rendered unsafely in multiple application views without proper output encoding, enabling the execution of arbitrary JavaScript in the context of the user’s browser.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts are executed in the context of the user viewing the profile. This can result in the execution of arbitrary JavaScript in victims' browsers. Additionally, when the payload is executed in the context of an administrator, it can lead to privilege escalation and a full takeover of the admin account.

Reproduction

To reproduce this vulnerability, access the Profile Management page and inject a JavaScript payload, such as an image tag with an error event, into the Full Name input fields. After saving the profile, navigate to the User Management page as an admin or another role to observe the executed payload, confirming the cross-site scripting vulnerability. This issue can also be reproduced on public-facing blog pages that display user profiles.

Remediation

Users are advised to update to version 31.0.0.0 or later. Additionally, developers should avoid using methods that allow innerHTML-style JavaScript in PHP applications without proper sanitization and encoding, as this can create real-world vulnerabilities such as cross-site scripting.