平台
php
组件
ci4-cms-erp/ci4ms
修复版本
0.31.3
0.31.2.0
CVE-2026-35035 describes a critical Stored DOM Blind Cross-Site Scripting (XSS) vulnerability affecting versions of ci4-cms-erp/ci4ms up to 0.31.1.0. This vulnerability allows attackers to achieve full account takeover and privilege escalation by injecting malicious scripts into the System Settings Company Information section of public-facing landing pages. A patch is available in version 0.31.2.0, and users are strongly advised to upgrade immediately.
The impact of CVE-2026-35035 is severe due to the potential for full account takeover and privilege escalation. An attacker can inject arbitrary JavaScript code into the System Settings Company Information section, which is accessible via public-facing landing pages. This allows them to steal user credentials, modify data, perform actions on behalf of the compromised user, and potentially gain control of the entire application. The blind nature of the XSS makes it harder to detect, as the payload execution might not be immediately visible to the user, increasing the risk of persistent compromise. This vulnerability could lead to significant data breaches, financial losses, and reputational damage.
CVE-2026-35035 was publicly disclosed on 2026-04-06. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog.
Organizations using ci4-cms-erp/ci4ms in production environments, particularly those with public-facing landing pages and inadequate input validation, are at significant risk. Shared hosting environments where multiple users share the same instance of ci4-cms-erp/ci4ms are also particularly vulnerable, as a compromise of one user account could potentially lead to the compromise of the entire system.
• php: Examine application logs for suspicious JavaScript code being stored in the System Settings Company Information section. Use grep to search for <script> tags or other XSS payload indicators within the database entries associated with this section.
grep -r '<script' /path/to/database/files• generic web: Monitor access logs for requests containing unusual or obfuscated JavaScript code in the Company Information field. Use curl to test the affected endpoint with a simple XSS payload and observe the response.
curl -X POST -d "Company Information=<script>alert('XSS')</script>" https://your-ci4ms-instance/system-settings/company-informationdisclosure
漏洞利用状态
EPSS
0.10% (26% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35035 is to upgrade to version 0.31.2.0 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and sanitization on the System Settings Company Information section should be implemented to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and procedures to ensure they address XSS vulnerabilities.
升级到 0.31.2 或更高版本以修复此漏洞。此版本实施了对系统设置中用户输入的适当清理,从而避免在公共页面上存储和不安全地渲染数据。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35035 is a critical Stored DOM Blind XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.31.1.0, allowing attackers to achieve full account takeover.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.1.0 or earlier and have public-facing landing pages.
Upgrade to version 0.31.2.0 or later. Implement input validation and sanitization as a temporary workaround.
While no public exploits are currently known, the high CVSS score and ease of exploitation suggest active exploitation is possible.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。