{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ci4ms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39393"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CI4MS"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-39393","CI4MS","CodeIgniter","Remote Code Execution","Unauthenticated Access"],"_cs_type":"advisory","_cs_vendors":["CI4MS"],"content_html":"\u003cp\u003eCI4MS, a CodeIgniter 4-based CMS skeleton, is vulnerable to a critical security flaw (CVE-2026-39393) in versions prior to 0.31.4.0. The vulnerability stems from an insufficient install route guard mechanism. This guard, designed to prevent unauthorized access to the setup wizard after installation, relies on a combination of a volatile cache check (\u003ccode\u003ecache('settings')\u003c/code\u003e) and the presence of the \u003ccode\u003e.env\u003c/code\u003e file. When the database becomes temporarily unreachable, leading to a cache miss (either due to TTL expiry or manual cache clearing), the route guard fails open. This failure enables an unauthenticated attacker to access the setup wizard and overwrite the \u003ccode\u003e.env\u003c/code\u003e file with maliciously crafted database credentials. Successful exploitation leads to complete application takeover. The vulnerability was patched in version 0.31.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe target CI4MS instance experiences a database outage or becomes temporarily unreachable.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecache('settings')\u003c/code\u003e check in the install route guard fails due to a cache miss caused by the database outage.\u003c/li\u003e\n\u003cli\u003eThe flawed logic in the route guard incorrectly determines that the application is not yet installed.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the \u003ccode\u003e/install\u003c/code\u003e route, bypassing the intended security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the setup wizard, providing malicious database credentials.\u003c/li\u003e\n\u003cli\u003eThe application proceeds to overwrite the existing \u003ccode\u003e.env\u003c/code\u003e file with the attacker-supplied database configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative access to the CI4MS application using the newly configured database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute arbitrary code, modify content, and compromise sensitive data within the CI4MS application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39393 allows an unauthenticated attacker to achieve full application takeover of CI4MS instances running versions prior to 0.31.4.0. This can lead to complete data breaches, website defacement, and potential compromise of the underlying server. The severity is critical due to the ease of exploitation and the potential for widespread damage. The number of affected systems depends on the number of CI4MS installations that have not been upgraded to version 0.31.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all CI4MS installations to version 0.31.4.0 or later to patch CVE-2026-39393.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for unusual access attempts to the \u003ccode\u003e/install\u003c/code\u003e route on CI4MS instances.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS Install Route Access\u003c/code\u003e to detect unauthorized access attempts to the vulnerable installation route.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for POST requests to the \u003ccode\u003e/install\u003c/code\u003e route with parameters suggestive of database configuration changes. Use the Sigma rule \u003ccode\u003eDetect CI4MS Env Overwrite\u003c/code\u003e as a starting point.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/","summary":"CI4MS versions before 0.31.4.0 are vulnerable to unauthenticated takeover due to a flawed install route guard that allows overwriting the .env file with attacker-controlled database credentials when the database is temporarily unreachable.","title":"CI4MS Unauthenticated .env Overwrite Vulnerability (CVE-2026-39393)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-ci4ms-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-35035"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CI4MS"],"_cs_severities":["medium"],"_cs_tags":["xss","codeigniter","cms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCI4MS, a CodeIgniter 4-based CMS skeleton designed for production environments, is susceptible to a stored cross-site scripting (XSS) vulnerability. This flaw exists in versions prior to 0.31.2.0. The vulnerability stems from the application's failure to properly sanitize user-controlled input within the System Settings – Company Information section. Specifically, administrative configuration fields allow for the injection of arbitrary input, which is then stored server-side. This input is subsequently rendered without appropriate output encoding on public-facing pages, such as the main landing page. The XSS payload is only executed in the public frontend and does not impact the administrative dashboard itself. Upgrading to version 0.31.2.0 resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the CI4MS application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the System Settings – Company Information section within the administrative dashboard.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious JavaScript payload into one or more of the configuration fields (e.g., Company Name, Address, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified configuration. The injected payload is stored in the application's database.\u003c/li\u003e\n\u003cli\u003eA user visits the public-facing main landing page of the CI4MS application.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the configuration data from the database, including the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe application renders the configuration data on the landing page \u003cem\u003ewithout\u003c/em\u003e proper output encoding.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript payload executes within the user's browser, potentially leading to session hijacking, defacement, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser when visiting the public-facing pages of the CI4MS application. This can lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The number of potential victims depends on the popularity and usage of the affected CI4MS instance. Organizations using vulnerable versions of CI4MS for their public-facing websites are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CI4MS to version 0.31.2.0 or later to patch the vulnerability (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CI4MS XSS Attempt via HTTP POST\u003c/code\u003e to detect potential exploitation attempts targeting the vulnerable configuration fields (reference: rules).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to the administrative configuration pages containing JavaScript-like syntax or HTML injection attempts (reference: rules, logsource).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out malicious payloads being submitted to the CI4MS administrative interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T12:00:00Z","date_published":"2024-01-27T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ci4ms-xss/","summary":"CI4MS versions prior to 0.31.2.0 are vulnerable to stored cross-site scripting due to improper sanitization of user-controlled input within the System Settings – Company Information, allowing attackers to inject arbitrary JavaScript into public-facing pages.","title":"CI4MS Improper Sanitization of User Input Leading to XSS","url":"https://feed.craftedsignal.io/briefs/2024-01-ci4ms-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39394"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CI4MS"],"_cs_severities":["high"],"_cs_tags":["ci4ms","codeigniter","env-injection","cve-2026-39394"],"_cs_type":"advisory","_cs_vendors":["CI4MS"],"content_html":"\u003cp\u003eCI4MS is a CodeIgniter 4-based CMS skeleton designed to provide a production-ready, modular architecture with features like RBAC authorization and theme support. Versions prior to 0.31.4.0 contain a critical vulnerability (CVE-2026-39394) within the Install::index() controller. This controller reads the 'host' POST parameter without proper validation and passes it directly to the \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function. This function, in turn, uses \u003ccode\u003epreg_replace()\u003c/code\u003e to write the value into the .env file. The lack of newline character stripping in the input allows an attacker to inject arbitrary configuration directives. Furthermore, the installation routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when the \u003ccode\u003ecache('settings')\u003c/code\u003e is empty, such as during initial deployment or after cache expiry. This vulnerability allows unauthenticated attackers to modify the application's configuration, leading to potentially complete system compromise. CI4MS deployments are vulnerable until upgraded to version 0.31.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to the \u003ccode\u003e/install\u003c/code\u003e route with a malicious 'host' parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstall::index()\u003c/code\u003e controller receives the POST request.\u003c/li\u003e\n\u003cli\u003eThe controller bypasses CSRF protection due to it being explicitly disabled.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInstallFilter\u003c/code\u003e is bypassed because the \u003ccode\u003ecache('settings')\u003c/code\u003e is empty (e.g., on a fresh deployment).\u003c/li\u003e\n\u003cli\u003eThe 'host' parameter, containing injected configuration directives with newline characters, is passed to the \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupdateEnvSettings()\u003c/code\u003e function uses \u003ccode\u003epreg_replace()\u003c/code\u003e to write the attacker-controlled 'host' parameter into the .env file without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected configuration directives are written into the .env file, modifying the application's configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can now leverage the modified configuration for further malicious activities, such as gaining unauthorized access, escalating privileges, or injecting malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to inject arbitrary configuration directives into the .env file. This can lead to a wide range of consequences, including but not limited to: database credential compromise, modification of application behavior, remote code execution, and complete system takeover. The number of potential victims is dependent on the number of CI4MS deployments running vulnerable versions (pre-0.31.4.0). Targeted sectors are likely to be diverse, reflecting the broad range of applications for which CI4MS is used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CI4MS to version 0.31.4.0 or later to patch CVE-2026-39394.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/install\u003c/code\u003e route containing newline characters in the 'host' parameter to detect potential exploitation attempts. Implement the provided Sigma rules to detect this activity.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on all user-supplied data, especially for parameters that are used to modify configuration files.\u003c/li\u003e\n\u003cli\u003eEnsure that CSRF protection is enabled and functioning correctly for all sensitive routes, including installation routes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/","summary":"CI4MS versions prior to 0.31.4.0 are vulnerable to .env file injection via the Install::index() controller due to insufficient input validation and bypassed CSRF protection, allowing attackers to inject arbitrary configuration directives.","title":"CI4MS .env File Injection Vulnerability (CVE-2026-39394)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-ci4ms-env-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - CI4MS","version":"https://jsonfeed.org/version/1.1"}