CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Platform
codeigniter
Component
ci4ms
Fixed in
0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
How to fix
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado en las categorías de blogs. La actualización evitará la ejecución de código JavaScript malicioso inyectado en el título de las categorías.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free