प्लेटफ़ॉर्म
php
घटक
ci4-cms-erp/ci4ms
में ठीक किया गया
0.31.1
0.31.0.0
CVE-2026-34562 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms system. This vulnerability allows attackers to inject malicious scripts through unsanitized input in the System Settings – Company Information section, resulting in immediate same-page execution. The vulnerability impacts versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
An attacker can leverage this XSS vulnerability to execute arbitrary JavaScript code in the context of a user's browser session. This could lead to session hijacking, credential theft, or defacement of the application. The stored nature of the vulnerability means that the malicious script persists on the server, potentially affecting multiple users who view the compromised company information page. Successful exploitation could also allow an attacker to redirect users to phishing sites or install malware, expanding the potential impact beyond the immediate application. The immediate same-page execution makes detection and prevention more challenging as the payload is executed immediately upon page load.
CVE-2026-34562 was publicly disclosed on 2026-04-01. The vulnerability is not currently listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time, but the ease of exploitation inherent in DOM XSS suggests a potential for rapid exploitation if a PoC is released. The vulnerability's impact is amplified by the stored nature of the payload, making it a persistent threat.
Organizations using ci4-cms-erp/ci4ms in production environments, particularly those with administrative users who regularly manage company information settings, are at risk. Shared hosting environments where multiple users share the same instance of the application are also particularly vulnerable, as a compromised account could affect all users on the server.
• php: Examine application logs for unusual activity related to the System Settings – Company Information section. Look for POST requests containing suspicious characters or patterns.
grep -i '<script' /var/log/apache2/access.log• generic web: Use curl to test the company information endpoint with a simple XSS payload and observe the response.
curl -X POST -d "company_name=<script>alert('XSS')</script>" http://your-ci4ms-instance/system_settings/company_info• generic web: Check response headers for Content-Security-Policy (CSP) directives. A strong CSP can mitigate XSS attacks.
curl -I http://your-ci4ms-instance/system_settings/company_infodisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34562 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the company information fields. Specifically, look for patterns associated with JavaScript injection, such as <script> tags, event handlers (e.g., onload, onclick), and common XSS payloads. Additionally, review and tighten input validation and output encoding practices within the application to prevent future XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the company information settings and verifying that it is properly sanitized.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado en la configuración de la información de la empresa.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34562 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious scripts through unsanitized company information settings.
You are affected if you are using ci4-cms-erp/ci4ms versions 0.28.6.0 or earlier.
Upgrade to version 0.31.0.0 or later. As a temporary workaround, implement a WAF rule to filter malicious input.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।