CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Platform
codeigniter
Component
ci4ms
Fixed in
0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
How to fix
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige las vulnerabilidades de Cross-Site Scripting (XSS) almacenadas en la funcionalidad de gestión de métodos, evitando la ejecución de código JavaScript malicioso en el navegador de los administradores.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free