平台
php
组件
ci4-cms-erp/ci4ms
修复版本
0.31.1
0.31.0.0
CVE-2026-34568 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms application. This vulnerability allows attackers to inject malicious JavaScript payloads into blog post content, which are then stored and subsequently rendered without proper sanitization. The vulnerability impacts versions of ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
An attacker can leverage this XSS vulnerability to execute arbitrary JavaScript code in the context of a victim's browser. This could lead to session hijacking, defacement of the website, redirection to malicious sites, or theft of sensitive information like cookies and credentials. The stored nature of the vulnerability means that a single successful injection can affect multiple users who view the compromised blog post. The impact is particularly severe as the payload is persistent, remaining on the server until manually removed, potentially affecting a large number of users over time. This is similar in impact to other stored XSS vulnerabilities where attackers can craft highly targeted attacks.
CVE-2026-34568 was publicly disclosed on 2026-04-01. The vulnerability is not currently listed on CISA KEV, and there is no EPSS score available. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of XSS vulnerabilities suggests that a PoC could emerge quickly. Active exploitation is not currently confirmed.
Organizations using ci4-cms-erp/ci4ms for content management, particularly those with public-facing blogs, are at risk. Shared hosting environments where multiple users share the same instance of the application are especially vulnerable, as an attacker could potentially compromise the entire hosting environment through a single blog post injection.
• php: Examine blog post content in the database for suspicious JavaScript code. Look for <script> tags, event handlers, or obfuscated code.
grep -r '<script' /path/to/database/blog_posts• generic web: Monitor access logs for requests containing suspicious URL parameters or POST data related to blog post creation or editing.
grep -i 'script|onload|onclick' /var/log/apache2/access.log• generic web: Check response headers for signs of XSS, such as Content-Security-Policy (CSP) headers that are not properly configured.
disclosure
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34568 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in blog post content. Specifically, look for patterns indicative of XSS attempts, such as <script> tags, event handlers (e.g., onload, onclick), and JavaScript functions. Carefully review and sanitize all user-supplied input before rendering it in the application. Regularly scan the application for XSS vulnerabilities using automated tools.
升级 CI4MS 到 0.31.0.0 或更高版本。此版本包含针对存储型 XSS 漏洞的修复,该漏洞允许在应用程序上下文中执行恶意 JavaScript 代码。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34568 is a CRITICAL stored XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0. It allows attackers to inject malicious JavaScript into blog posts, affecting all users who view them.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack. Carefully assess your deployment.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests it could be exploited quickly.
Refer to the official ci4-cms-erp project's release notes and security advisories for details on this vulnerability and the fix.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。