Skip to content
Threat Feed
medium advisory

CI4MS Improper Sanitization of User Input Leading to XSS

CI4MS versions prior to 0.31.2.0 are vulnerable to stored cross-site scripting due to improper sanitization of user-controlled input within the System Settings – Company Information, allowing attackers to inject arbitrary JavaScript into public-facing pages.

CI4MS, a CodeIgniter 4-based CMS skeleton designed for production environments, is susceptible to a stored cross-site scripting (XSS) vulnerability. This flaw exists in versions prior to 0.31.2.0. The vulnerability stems from the application's failure to properly sanitize user-controlled input within the System Settings – Company Information section. Specifically, administrative configuration fields allow for the injection of arbitrary input, which is then stored server-side. This input is subsequently rendered without appropriate output encoding on public-facing pages, such as the main landing page. The XSS payload is only executed in the public frontend and does not impact the administrative dashboard itself. Upgrading to version 0.31.2.0 resolves this vulnerability.

Attack Chain

  1. An attacker gains administrative access to the CI4MS application.
  2. The attacker navigates to the System Settings – Company Information section within the administrative dashboard.
  3. The attacker injects a malicious JavaScript payload into one or more of the configuration fields (e.g., Company Name, Address, etc.).
  4. The attacker saves the modified configuration. The injected payload is stored in the application's database.
  5. A user visits the public-facing main landing page of the CI4MS application.
  6. The application retrieves the configuration data from the database, including the malicious payload.
  7. The application renders the configuration data on the landing page without proper output encoding.
  8. The injected JavaScript payload executes within the user's browser, potentially leading to session hijacking, defacement, or other malicious actions.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser when visiting the public-facing pages of the CI4MS application. This can lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The number of potential victims depends on the popularity and usage of the affected CI4MS instance. Organizations using vulnerable versions of CI4MS for their public-facing websites are at risk.

Recommendation

  • Upgrade CI4MS to version 0.31.2.0 or later to patch the vulnerability (reference: Overview).
  • Deploy the Sigma rule Detect CI4MS XSS Attempt via HTTP POST to detect potential exploitation attempts targeting the vulnerable configuration fields (reference: rules).
  • Inspect web server logs for suspicious POST requests to the administrative configuration pages containing JavaScript-like syntax or HTML injection attempts (reference: rules, logsource).
  • Implement a Web Application Firewall (WAF) rule to filter out malicious payloads being submitted to the CI4MS administrative interface.

Detection coverage 2

Detect CI4MS XSS Attempt via HTTP POST

high

Detects potential XSS attempts targeting CI4MS admin configuration pages by looking for script tags or event handlers in POST data

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect CI4MS XSS via Script Tag in POST Data

high

Detects potential XSS attempts targeting CI4MS admin configuration pages by looking for script tags in POST data. This rule is more specific than the previous one.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →