CVE-2026-34560 (GCVE-0-2026-34560)

Vulnerability from cvelistv5 – Published: 2026-04-01 21:21 – Updated: 2026-04-02 13:58

Title

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/ci4-cms-erp/ci4ms/security/adv…	x_refsource_CONFIRM
https://github.com/ci4-cms-erp/ci4ms/releases/tag…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
ci4-cms-erp	ci4ms	Affected: < 0.31.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34560",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T13:58:43.209067Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T13:58:46.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.31.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T21:21:33.806Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4"
        },
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-r4v5-rwr2-q7r4",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34560",
    "datePublished": "2026-04-01T21:21:33.806Z",
    "dateReserved": "2026-03-30T16:31:39.265Z",
    "dateUpdated": "2026-04-02T13:58:46.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-34560",
      "date": "2026-05-30",
      "epss": "0.00022",
      "percentile": "0.06686"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34560\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-01T22:16:19.333\",\"lastModified\":\"2026-04-13T18:00:22.750\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.31.0.0\",\"matchCriteriaId\":\"805F6B8A-9324-4CA4-BADE-439CC15DA14C\"}]}]}],\"references\":[{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34560\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T13:58:43.209067Z\"}}}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T13:58:35.359Z\"}}], \"cna\": {\"title\": \"CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS\", \"source\": {\"advisory\": \"GHSA-r4v5-rwr2-q7r4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"ci4-cms-erp\", \"product\": \"ci4ms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.31.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4\", \"name\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0\", \"name\": \"https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-01T21:21:33.806Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34560\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T13:58:46.604Z\", \"dateReserved\": \"2026-03-30T16:31:39.265Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-01T21:21:33.806Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-34560

Vulnerability from fkie_nvd - Published: 2026-04-01 22:16 - Updated: 2026-04-13 18:00

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0	Release Notes
security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C",
              "versionEndExcluding": "0.31.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0."
    }
  ],
  "id": "CVE-2026-34560",
  "lastModified": "2026-04-13T18:00:22.750",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-04-01T22:16:19.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R4V5-RWR2-Q7R4

Vulnerability from github – Published: 2026-04-01 21:54 – Updated: 2026-04-06 17:13

Summary

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Details

Summary

Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering (Administrative Context Execution)

Stored Cross-Site Scripting (Blind XSS) via Unsafe Rendering of User-Controlled Logged Data

Description

The application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding.

This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page.

For example, accessing /backend/backup/restore/xss-payload-here causes an error that gets logged by the application. If the injected portion contains an XSS payload, it is stored inside the logs without sanitization and later rendered unsafely inside the logs management interface.

When an administrator views the logs page, the stored payload executes automatically in the administrative browser context, leading to stored blind cross-site scripting (Blind XSS).

Affected Functionality

Application logging mechanism
Logs storage and retrieval logic
Logs rendering within administrative interface
Any endpoint that logs unsanitized user-controlled input

Attack Scenario

An attacker injects a malicious XSS payload into any user-controlled input that is logged by the application.
Example: Visit /backend/backup/restore/<img src=x onerror=alert(document.domain)>
The application throws an error and logs the malicious payload.
The payload is stored within application logs.
An administrator views the logs interface.
The payload executes automatically in the administrator’s browser context.

Any method or endpoint that logs user-controlled input without sanitization will result in the same Blind XSS condition when viewed inside logs management.

Impact

Persistent Stored Blind XSS
Execution of arbitrary JavaScript in administrators’ browsers
Privilege escalation when viewed by administrators
Full administrator account takeover
Full compromise of the entire application

Endpoints: - /backend/logs/ - /backend/backup/restore/{payload} - Any other endpoint that logs xss payloads there

Steps To Reproduce (POC)

Trigger an endpoint that logs user-controlled input, such as: /backend/backup/restore/<img src=x onerror=alert(document.domain)>
Ensure the request generates an error and the payload is written into application logs
Navigate to the logs interface as an administrator
View the logged entry
Notice the XSS payload executing automatically (Blind XSS)

Remediation

Avoid unsafe DOM manipulation methods: Do not use .html(), innerHTML, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.
Apply output encoding: Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.
Implement input sanitization: Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.
Enforce security headers and cookie attributes:
Content Security Policy (CSP): Define and enforce a strict CSP to limit the execution of unauthorized scripts.
HttpOnly flag: Set the HttpOnly attribute on session cookies to prevent client-side script access.
SameSite attribute: Configure the SameSite cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.
Secure flag: Ensure all cookies are transmitted only over HTTPS by enabling the Secure attribute.

These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.

Ready Video POC:

https://mega.nz/file/jRN3nDSR#wJCwyFhbeT-OYAwlaTD_7j6wc5wRgz1EGJL0bnuhHxY

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.28.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:54:27Z",
    "nvd_published_at": "2026-04-01T22:16:19Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n### **Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering (Administrative Context Execution)**\n- Stored Cross-Site Scripting (Blind XSS) via Unsafe Rendering of User-Controlled Logged Data\n\n### Description\nThe application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding.\n\nThis issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page.\n\nFor example, accessing `/backend/backup/restore/xss-payload-here` causes an error that gets logged by the application. If the injected portion contains an XSS payload, it is stored inside the logs without sanitization and later rendered unsafely inside the logs management interface.\n\nWhen an administrator views the logs page, the stored payload executes automatically in the administrative browser context, leading to stored blind cross-site scripting (Blind XSS).\n\n### Affected Functionality\n- Application logging mechanism\n- Logs storage and retrieval logic\n- Logs rendering within administrative interface\n- Any endpoint that logs unsanitized user-controlled input\n\n### Attack Scenario\n- An attacker injects a malicious XSS payload into any user-controlled input that is logged by the application.\n- Example: Visit `/backend/backup/restore/\u003cimg src=x onerror=alert(document.domain)\u003e`\n- The application throws an error and logs the malicious payload.\n- The payload is stored within application logs.\n- An administrator views the logs interface.\n- The payload executes automatically in the administrator\u2019s browser context.\n\nAny method or endpoint that logs user-controlled input without sanitization will result in the same Blind XSS condition when viewed inside logs management.\n\n### Impact\n- Persistent Stored Blind XSS\n- Execution of arbitrary JavaScript in administrators\u2019 browsers\n- Privilege escalation when viewed by administrators\n- Full administrator account takeover\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/logs/`\n- `/backend/backup/restore/{payload}`\n- Any other endpoint that logs xss payloads there\n\n## Steps To Reproduce (POC)\n1. Trigger an endpoint that logs user-controlled input, such as:\n   `/backend/backup/restore/\u003cimg src=x onerror=alert(document.domain)\u003e`\n2. Ensure the request generates an error and the payload is written into application logs\n3. Navigate to the logs interface as an administrator\n4. View the logged entry\n5. Notice the XSS payload executing automatically (Blind XSS)\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n  - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n  - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n  - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n  - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n  These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n# Ready Video POC:\nhttps://mega.nz/file/jRN3nDSR#wJCwyFhbeT-OYAwlaTD_7j6wc5wRgz1EGJL0bnuhHxY",
  "id": "GHSA-r4v5-rwr2-q7r4",
  "modified": "2026-04-06T17:13:53Z",
  "published": "2026-04-01T21:54:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34560"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS: Logs Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34560 (GCVE-0-2026-34560)

FKIE_CVE-2026-34560

GHSA-R4V5-RWR2-Q7R4

Summary

Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering (Administrative Context Execution)

Description

Affected Functionality

Attack Scenario

Impact

Steps To Reproduce (POC)

Remediation

Ready Video POC:

Tags

Sightings

Nomenclature