Primary

Context

CI4MS Backup Module Stored DOM XSS Vulnerability Leading to Full Account Takeover and Privilege Escalation

Vulnerability

A stored DOM-based cross-site scripting vulnerability has been identified in the CI4MS content management system, specifically in version 0.31.4.0. This vulnerability allows an attacker to achieve full account takeover and privilege escalation by manipulating the backup module's filename field. The exploitation involves using a SQL file to alter the filename field, embedding a hidden XSS payload. The issue has been addressed in version 0.31.5.0.

Impact

Exploitation of this vulnerability allows for full account takeover and privilege escalation for all user roles.

Remediation

Users are advised to update to version 0.31.5.0, where this vulnerability has been patched.

Added: May 7, 2026, 4:40 AM

Updated: May 7, 2026, 4:40 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

5.0

remediation

0.0

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

5.0

remediation

0.0

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CI4MS Backup Module Stored DOM XSS Vulnerability Leading to Full Account Takeover and Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating