Executive Summary

This vulnerability is a Stored Cross-Site Scripting (Stored XSS) issue found in the backend user management functionality of CI4MS, a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, the application did not properly sanitize user-controlled input before displaying it in the administrative interface. This allowed attackers to inject malicious JavaScript code that is persistently stored and automatically executed whenever backend users access the affected page.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is severe. An attacker exploiting this Stored XSS can hijack sessions, escalate privileges, and fully compromise administrative accounts. This means attackers can gain unauthorized access to administrative functions, potentially controlling the entire CMS backend.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the CI4MS application to version 0.31.0.0 or later, where the Stored Cross-Site Scripting (Stored XSS) issue has been patched.

Additionally, review and sanitize all user-controlled input in the backend user management functionality to prevent injection of persistent JavaScript code.

Limit backend user access and monitor administrative interfaces for suspicious activity until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

The Stored Cross-Site Scripting (Stored XSS) vulnerability in CI4MS allows attackers to execute persistent malicious scripts in the administrative interface, leading to session hijacking, privilege escalation, and full administrative account compromise.

Such security breaches can result in unauthorized access to sensitive data and administrative controls, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.

Failure to properly sanitize user input and prevent such vulnerabilities can lead to non-compliance with these regulations, as they mandate adequate security measures to protect personal and sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to create a backend user with a specially crafted payload in the "name" or "surname" fields via the /backend/users endpoint and then observing if the payload executes when viewing the users listing page.

A proof of concept payload to test for the vulnerability is: adnan"><img src=1 onerror=alert(document.cookie)><<e>img src=1 onerror=alert(document.cookie)>

If the payload executes (e.g., a JavaScript alert showing cookies appears) when accessing the backend users listing page, the system is vulnerable.

To detect this on your system, you can use HTTP request tools like curl or Postman to create a user with the payload and then access the users listing page in a browser to observe if the script runs.

• Example curl command to create a user with the payload (authentication and exact API details may vary):
• curl -X POST https://your-ci4ms-instance/backend/users -d '{"name":"adnan\"><img src=1 onerror=alert(document.cookie)>","surname":"test"}' -H 'Content-Type: application/json' -H 'Authorization: Bearer <token>'

After creating the user, visit the backend users listing page in a browser to check if the alert pops up, indicating the vulnerability.

Useful 0 Not Useful 0