{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ci4-cms-erp/ci4ms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","code-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA Zip Slip vulnerability exists in the CI4MS backup restore functionality. Authenticated users with backup creation permissions can exploit this by uploading a specially crafted ZIP archive. The vulnerability lies in the \u003ccode\u003eBackup::restore\u003c/code\u003e function (modules/Backup/Controllers/Backup.php), where the application extracts the uploaded ZIP without proper validation of the entry names. This allows an attacker to write files to arbitrary locations, including the public web root, leading to remote code execution (RCE). This vulnerability affects CI4MS versions prior to 0.31.5.0. By crafting a ZIP file with malicious paths, attackers can bypass intended directory restrictions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with \u003ccode\u003ecreate\u003c/code\u003e role accesses the vulnerable \u003ccode\u003e/backend/backup/restore\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) with a path traversing outside the intended extraction directory (e.g., \u003ccode\u003e../../public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive via the \u003ccode\u003ebackup_file\u003c/code\u003e parameter in a POST request.\u003c/li\u003e\n\u003cli\u003eThe server moves the uploaded ZIP file to \u003ccode\u003eWRITEPATH . 'uploads/'\u003c/code\u003e without sanitizing or validating the ZIP entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function is called on the uploaded ZIP, extracting the malicious file to the specified path \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PHP file is written to the web root, allowing for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the injected PHP code by sending a request to \u003ccode\u003e/shell.php?c=id\u003c/code\u003e, executing arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the compromised server, including access to sensitive data and the ability to further compromise the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution (RCE) on the CI4MS server. This can lead to full compromise of the installation, including the database credentials stored in \u003ccode\u003e.env\u003c/code\u003e and any other sensitive data handled by the site. Because the affected route is in the \u003ccode\u003ecsrfExcept\u003c/code\u003e list, this vulnerability can be triggered cross-site against a logged-in administrator, potentially leading to drive-by RCE against site operators. The vulnerability affects versions of \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e prior to \u003ccode\u003e0.31.5.0\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/ci4-cms-erp/ci4ms\u003c/code\u003e to version 0.31.5.0 or later to patch the vulnerability as described in GHSA-xp9f-pvvc-57p4.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of uploaded ZIP archive entry names to prevent path traversal vulnerabilities. Specifically, validate the file paths extracted from the ZIP archive before calling \u003ccode\u003eextractTo()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Zip Slip via Web Request\u003c/code\u003e to identify potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file creations, especially in web-accessible directories, after ZIP archive uploads, based on the attack chain described above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:28:39Z","date_published":"2026-04-22T17:28:39Z","id":"/briefs/2024-01-09-ci4ms-zip-slip/","summary":"The CI4MS Backup restore function is vulnerable to Zip Slip, allowing remote code execution by uploading a malicious ZIP archive that writes PHP files to the public web root due to missing validation of entry names during extraction, affecting versions prior to 0.31.5.0.","title":"CI4MS Backup Restore Zip Slip Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-09-ci4ms-zip-slip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["high"],"_cs_tags":["code-execution","web-application","php"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eCI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a backend user account with theme upload permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.\u003c/li\u003e\n\u003cli\u003eThe application extracts the ZIP archive to a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, running the system command specified in the \u0026lsquo;c\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is returned in the HTTP response, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting newly created directories under \u003ccode\u003e/templates/\u003c/code\u003e with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.\u003c/li\u003e\n\u003cli\u003eImplement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-ci4ms-rce/","summary":"CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.","title":"CI4MS Authenticated Remote Code Execution via Theme Upload","url":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ci4-cms-erp/ci4ms"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","codeigniter","vulnerability"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe ci4ms application is vulnerable to a Zip Slip attack in its theme upload functionality. This vulnerability, present in versions prior to 0.31.5.0, allows an authenticated backend user with theme creation privileges to upload a specially crafted ZIP archive. Due to the lack of proper validation of entry names during extraction, the attacker can write files to arbitrary locations on the filesystem. This is achieved by including malicious path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) in the ZIP archive\u0026rsquo;s entry names. The vulnerability allows an attacker to place a PHP webshell in the public web root, enabling remote code execution on the server. This issue poses a significant risk to organizations using ci4ms, as it allows attackers to fully compromise the installation and access sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ci4ms backend with an account possessing the theme \u003ccode\u003ecreate\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP webshell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) and an \u003ccode\u003einfo.xml\u003c/code\u003e file for theme validation. The webshell is placed with a path traversal sequence, such as \u003ccode\u003e../../public/shell.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the theme upload functionality within the ci4ms backend, accessible via the \u003ccode\u003ebackend/themes/themesUpload\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive through the web interface, triggering the \u003ccode\u003eTheme::upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eZipArchive::extractTo()\u003c/code\u003e function extracts the contents of the ZIP archive to a temporary directory (\u003ccode\u003eWRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file-\u0026gt;getName()) . '/'\u003c/code\u003e) without validating entry names.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal sequences in the ZIP archive, the PHP webshell is written to the web server\u0026rsquo;s document root (e.g., \u003ccode\u003e/var/www/html/public/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the PHP webshell via a web browser or command-line tool like \u003ccode\u003ecurl\u003c/code\u003e, passing commands to be executed on the server (e.g., \u003ccode\u003ehttps://target.example.com/shell.php?c=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe webserver executes the attacker-supplied command, granting the attacker remote code execution on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows an attacker to gain remote code execution on the ci4ms server. This grants the attacker full control over the server, potentially leading to the exfiltration of sensitive data, including database credentials stored in the \u003ccode\u003e.env\u003c/code\u003e file. The attacker can also modify or delete website content, install malware, or use the compromised server as a launching point for further attacks. This vulnerability affects versions of ci4ms prior to 0.31.5.0, and impacts any installation where an attacker can obtain theme creation privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ci4ms to version 0.31.5.0 or later to patch CVE-2026-41203.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Webshell Upload via Theme Exploit\u003c/code\u003e to detect attempts to upload malicious themes containing webshells.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent path traversal attacks in file upload functionalities.\u003c/li\u003e\n\u003cli\u003eRestrict theme creation privileges to only trusted administrators and monitor theme creation activity for suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-ci4ms-zip-slip/","summary":"A critical vulnerability exists in ci4ms Theme::upload, where improper validation of ZIP archive entry names allows authenticated users with theme creation permissions to write files to arbitrary locations, leading to remote code execution.","title":"CI4MS Theme Upload Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed — Ci4-Cms-Erp/Ci4ms","version":"https://jsonfeed.org/version/1.1"}