Plattform
php
Komponente
ci4ms
Behoben in
31.0.1
31.0.0.0
CVE-2026-34989 describes a stored DOM Cross-Site Scripting (XSS) vulnerability affecting CI4MS versions up to 31.0.0. This vulnerability allows attackers to inject malicious JavaScript payloads into user profile names, which are then stored and subsequently rendered without proper sanitization. Successful exploitation can lead to arbitrary JavaScript execution within the context of a victim's browser, potentially enabling session hijacking, data theft, or defacement.
The impact of this XSS vulnerability is significant. An attacker can craft a malicious profile name containing JavaScript code. When a user updates their profile with this crafted name, the payload is stored on the server. Subsequently, when other users (or even the original user) view the profile, the malicious script is executed in their browser. This can lead to various attacks, including stealing session cookies, redirecting users to phishing sites, or injecting malicious content into the application's interface. The stored nature of the vulnerability means the attack persists until the profile is updated or the application is patched, amplifying the potential blast radius.
CVE-2026-34989 was publicly disclosed on 2026-04-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation. It is not currently listed on CISA KEV.
Organizations using CI4MS for profile management and relying on user-generated content are at risk. Shared hosting environments where multiple users share the same CI4MS instance are particularly vulnerable, as a compromised user profile could impact other users on the same server.
• php: Examine CI4MS application logs for suspicious JavaScript code being stored in profile names. Use grep to search for <script> tags or event handlers within the database entries for user profiles.
grep -r '<script' /path/to/ci4ms/database/user_profiles• generic web: Monitor application access logs for unusual requests related to profile updates, particularly those containing unusual characters or patterns that might indicate an XSS attempt.
curl -I 'https://your-ci4ms-site.com/profile/update?name=<script>alert(1)</script>' # Check response headers for XSS indicatorsdisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-34989 is to upgrade CI4MS to version 31.0.0 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious JavaScript payloads in profile name updates. Additionally, carefully review and sanitize all user-supplied input within the application, particularly data that is later displayed to other users. Regularly scan the application for XSS vulnerabilities using automated tools.
Actualice a la versión 31.0.0 o superior para mitigar la vulnerabilidad. Esta versión incluye una sanitización adecuada de la entrada del usuario al actualizar el perfil, previniendo la inyección de código JavaScript malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34989 is a critical stored XSS vulnerability in CI4MS versions 31.0.0 and earlier, allowing attackers to inject malicious JavaScript via profile name updates.
Yes, if you are using CI4MS versions 31.0.0 or earlier, you are vulnerable to this XSS attack. Upgrade to 31.0.0 immediately.
Upgrade CI4MS to version 31.0.0 or later. Implement strict input validation and output encoding as a temporary workaround.
While no active exploitation has been publicly confirmed, the high CVSS score suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official CI4MS security advisory page for details and updates regarding CVE-2026-34989: [Replace with actual CI4MS advisory URL]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.