Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.5
0.31.4.0
CVE-2026-39391 represents a Cross-Site Scripting (XSS) vulnerability found in the ci4-cms-erp/ci4ms component, specifically affecting versions up to 0.31.3.0. This flaw allows an authenticated administrator with blacklist privileges to inject malicious JavaScript code. This code executes within the browser context of any other administrator accessing the user management page, potentially leading to session hijacking or data theft. A patch is available in version 0.31.4.0.
CVE-2026-39391 in ci4ms allows an administrator with blacklist privileges to inject arbitrary JavaScript into the user management page. This code executes in the browser of any other administrator who views the page. The root cause is the lack of sanitization and escaping of the 'note' parameter in the UserController::ajaxblackListpost() function. An attacker can leverage this to steal session cookies, redirect to malicious sites, or perform other actions on behalf of the affected administrator, compromising application security and potentially sensitive user information.
An attacker with administrator privileges and access to the blacklist function can inject malicious JavaScript code into the 'note' field when blacklisting a user. This code will be stored in the database and displayed on the user management page. When another administrator visits this page, the JavaScript code will execute in their browser, allowing the attacker to compromise their session and perform unauthorized actions.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The solution to this vulnerability is to update to version 0.31.4.0 of ci4ms. This version includes a fix that properly sanitizes and escapes the 'note' parameter before storing it in the database and rendering it in HTML. In the meantime, as a temporary measure, restrict access to the user management page to trusted administrators and monitor for unusual activity within the application. Additionally, review and strengthen password policies and two-factor authentication to mitigate the impact of a potential exploitation.
Actualice a la versión 0.31.4 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al escapar correctamente los datos antes de renderizarlos en la página de administración de usuarios, previniendo la ejecución de código JavaScript malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
In this context, 'blacklist' refers to the ability of an administrator to block or restrict a user's access to the application.
An attacker could inject code to steal session cookies, redirect to malicious sites, display fake pop-ups, or perform other malicious actions.
Change your password immediately, review your recent activity, and contact the system administrator to investigate the situation.
Monitor for unusual activity within the application, such as unexpected logins or changes to system configuration.
Yes, updating to version 0.31.4.0 is the recommended solution to fix this vulnerability.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.