CI4MS CodeIgniter 4-Based CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in CI4MS, a CodeIgniter 4-based CMS skeleton. This issue affects versions prior to 0.31.4.0. The vulnerability arises in the UserController's ajax_blackList_post() method, where the blacklist note parameter is saved in the database without proper sanitization. This unsanitized data is then rendered into an HTML data-note attribute without escaping. As a result, an admin with the ability to blacklist can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal the session cookies of other admins, including superadmins. This is particularly concerning as superadmins are protected from being banned, yet their sessions can be exploited. The vulnerability also leads to privilege escalation, as a lower-privileged admin could use stolen superadmin sessions to gain full control. Additionally, the payload is persistent, residing in the database and executing every time the user list is accessed, impacting all admins who view the page.

Reproduction

To reproduce this vulnerability, an admin must send a POST request to the 'blackList' endpoint with a note parameter containing a JavaScript payload, such as one that accesses document cookies. This payload will be stored in the database and executed in the browser of any admin who views the user management page.

Remediation

The vulnerability has been fixed in version 0.31.4.0. To address this issue, update to the latest version.