प्लेटफ़ॉर्म
php
घटक
ci4-cms-erp/ci4ms
में ठीक किया गया
0.31.1
31.0.0
CVE-2026-34561 describes a stored DOM Cross-site Scripting (XSS) vulnerability discovered in the ci4-cms-erp/ci4ms CMS. This vulnerability allows attackers to inject malicious scripts through unsanitized input within the System Settings – Social Media Management section. Affected versions are those prior to 31.0.0. The vulnerability is mitigated by upgrading to the patched version.
The XSS vulnerability in ci4-cms-erp/ci4ms allows an attacker to inject arbitrary JavaScript code into the application. This code executes within the context of the user's browser, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The stored nature of the vulnerability means the injected payload persists, potentially affecting multiple users who visit the affected page. Successful exploitation could lead to complete account compromise and data exfiltration, similar to other XSS attacks targeting CMS platforms.
CVE-2026-34561 was publicly disclosed on 2026-04-01. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the stored nature of the XSS suggests a potential for medium-level exploitation probability.
Organizations using ci4-cms-erp/ci4ms for their ERP and CMS needs, particularly those relying on the Social Media Management features, are at risk. Shared hosting environments where multiple users share the same instance of ci4-cms-erp/ci4ms are especially vulnerable, as an attacker could potentially compromise the entire hosting environment through this vulnerability.
• php: Examine the System Settings – Social Media Management section for suspicious JavaScript code injected into the Social Media and Social Media Link fields. Use grep to search for common XSS payloads (e.g., <script>, onload=, javascript:) within the configuration files.
grep -r '<script' /path/to/ci4ms/config/social_media.php• generic web: Monitor access logs for unusual requests targeting the social media configuration endpoints. Look for requests containing suspicious characters or patterns indicative of XSS attempts.
curl -s 'http://your-ci4ms-site.com/system/settings/social_media?social_media=<script>alert(1)</script>' > /dev/null 2>&1disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34561 is to upgrade ci4-cms-erp/ci4ms to version 31.0.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Input validation and output encoding should be applied to all user-supplied data within the System Settings – Social Media Management section. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review and update any existing input sanitization routines to ensure they are robust and effective. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Social Media configuration fields and verifying that it is properly sanitized.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la configuración del sistema, específicamente en la gestión de redes sociales.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34561 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions prior to 31.0.0, allowing attackers to inject malicious scripts via Social Media configuration fields.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.3.0 or earlier. Upgrade to 31.0.0 to mitigate the risk.
Upgrade ci4-cms-erp/ci4ms to version 31.0.0 or later. Implement input validation and output encoding as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's stored nature makes it a potential target.
Refer to the official ci4-cms-erp/ci4ms project website or repository for the latest security advisories and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।