Plattform
php
Komponente
ci4-cms-erp/ci4ms
Behoben in
0.31.1
0.31.0.0
CVE-2026-34567 describes a critical Stored DOM Cross-Site Scripting (XSS) vulnerability affecting the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious JavaScript payloads into blog post categories, potentially leading to full account takeover and privilege escalation. The vulnerability impacts versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of CVE-2026-34567 is severe due to the nature of the XSS vulnerability and its potential for account takeover. An attacker can craft a malicious blog post category containing JavaScript code. When a user views this category, the JavaScript executes in their browser context, allowing the attacker to steal cookies, session tokens, or perform actions on behalf of the user. This can lead to complete compromise of user accounts, unauthorized access to sensitive data, and potential lateral movement within the system. The stored nature of the XSS means the payload persists on the server, making it a persistent threat to all users who view the affected category.
CVE-2026-34567 was publicly disclosed on 2026-04-01. The vulnerability is considered high probability due to the ease of exploitation via stored XSS and the potential for account takeover. No public proof-of-concept exploits have been identified as of this writing, but the vulnerability's severity warrants immediate attention. It is not currently listed on the CISA KEV catalog.
Organizations using ci4-cms-erp/ci4ms for their ERP or CMS solutions, particularly those running versions prior to 0.31.0.0, are at risk. Shared hosting environments where multiple users have access to blog post creation and editing functionalities are especially vulnerable, as a compromised user account could impact other users on the same server.
• wordpress / composer / npm:
grep -r '<script>' /var/www/ci4ms/application/controllers/Admin/BlogCategories.php• generic web:
curl -I http://your-ci4ms-site.com/blog-categories/ | grep -i content-type• generic web:
curl -I http://your-ci4ms-site.com/blog-categories/ | grep -i x-xss-protectiondisclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34567 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms, which contains the necessary fixes. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in blog post category content. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, review and sanitize all user-supplied input within the blog post category management interface. After upgrading, confirm the fix by creating a new blog post category with a simple JavaScript payload (e.g., <script>alert('XSS')</script>) and verifying that it does not execute when viewed.
Aktualisieren Sie CI4MS auf Version 0.31.0.0 oder höher. Diese Version behebt die Cross-Site Scripting (XSS) gespeicherte Vulnerability im Categories-Bereich der Blogbeiträge. Das Update verhindert, dass Angreifer bösartigen JavaScript-Code in den Kategorieinhalten injizieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34567 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript into blog post categories.
You are affected if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier. Upgrade to 0.31.0.0 to resolve the issue.
Upgrade to version 0.31.0.0 or later. As a temporary workaround, implement a WAF rule to block suspicious JavaScript payloads.
There are currently no known active exploits, but the vulnerability's severity and ease of exploitation suggest a potential risk.
Refer to the official ci4-cms-erp release notes and security advisories on their official website or GitHub repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.