GHSA-FC4P-P49V-R948
Vulnerability from github – Published: 2026-04-01 22:09 – Updated: 2026-04-06 17:15
VLAI?
Summary
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Details
Summary
A critical Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise.
Details
The vulnerability resides in the backend user creation feature accessible via:
/backend/users
User-supplied input in the name and surname fields is stored without proper validation or sanitization. When this data is later rendered in the backend users listing page, it is injected directly into the HTML without output encoding.
Because of this, attackers can embed malicious JavaScript payloads that execute in the context of authenticated backend users.
This indicates missing contextual output escaping (e.g., HTML encoding) and insufficient input sanitization, leading to persistent script execution.
The vulnerability is particularly severe because:
- The payload is stored in the database (persistent XSS).
- The script executes automatically on page load.
- The affected page appears to be an administrative/backend interface, increasing the risk of privilege escalation.
PoC
Steps to reproduce:
- Navigate to:
http://localhost:8080/backend/users
-
Click Add New User.
-
Create a new user.
-
In the name and surname fields, insert the following payload:
adnan"><img src=1 onerror=alert(document.cookie)><<e>img src=1 onerror=alert(document.cookie)>
-
Save the user.
-
After saving, a popup displaying cookies will appear, demonstrating JavaScript execution.
-
Revisit:
http://localhost:8080/backend/users
- The popup automatically triggers again, confirming that the malicious script is stored and executed persistently.
Impact
Severity: Critical
This vulnerability enables:
- Persistent execution of attacker-controlled JavaScript in privileged backend contexts.
- Theft of session cookies, potentially leading to full account takeover.
- Unauthorized actions performed on behalf of administrators (CSRF-like behavior via XSS).
- Privilege escalation if a high-privilege user views the page.
- Injection of keyloggers, credential harvesting scripts, or malicious redirects.
- Full compromise of backend administrative functionality depending on role permissions.
Since the payload executes automatically without user interaction once stored, exploitation requires minimal effort and can impact all backend users.
Severity ?
9.9 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.28.6.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34571"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T22:09:03Z",
"nvd_published_at": "2026-04-01T22:16:21Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nA critical Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise.\n\n---\n\n### Details\n\nThe vulnerability resides in the backend user creation feature accessible via:\n\n```\n/backend/users\n```\n\nUser-supplied input in the **name** and **surname** fields is stored without proper validation or sanitization. When this data is later rendered in the backend users listing page, it is injected directly into the HTML without output encoding.\n\nBecause of this, attackers can embed malicious JavaScript payloads that execute in the context of authenticated backend users.\n\nThis indicates missing contextual output escaping (e.g., HTML encoding) and insufficient input sanitization, leading to persistent script execution.\n\nThe vulnerability is particularly severe because:\n\n* The payload is stored in the database (persistent XSS).\n* The script executes automatically on page load.\n* The affected page appears to be an administrative/backend interface, increasing the risk of privilege escalation.\n\n---\n\n### PoC\n\nSteps to reproduce:\n\n1. Navigate to:\n\n```\nhttp://localhost:8080/backend/users\n```\n\n2. Click **Add New User**.\n\n3. Create a new user.\n\n4. In the **name** and **surname** fields, insert the following payload:\n\n```\nadnan\"\u003e\u003cimg src=1 onerror=alert(document.cookie)\u003e\u003c\u003ce\u003eimg src=1 onerror=alert(document.cookie)\u003e\n```\n\n5. Save the user.\n\n6. After saving, a popup displaying cookies will appear, demonstrating JavaScript execution.\n\n7. Revisit:\n\n```\nhttp://localhost:8080/backend/users\n```\n\n8. The popup automatically triggers again, confirming that the malicious script is stored and executed persistently.\n\u003cimg width=\"1534\" height=\"834\" alt=\"image\" src=\"https://github.com/user-attachments/assets/83f3d124-cf2e-472d-87cc-8c668ea81cba\" /\u003e\n\n---\n\n### Impact\n\nSeverity: **Critical**\n\nThis vulnerability enables:\n\n* Persistent execution of attacker-controlled JavaScript in privileged backend contexts.\n* Theft of session cookies, potentially leading to full account takeover.\n* Unauthorized actions performed on behalf of administrators (CSRF-like behavior via XSS).\n* Privilege escalation if a high-privilege user views the page.\n* Injection of keyloggers, credential harvesting scripts, or malicious redirects.\n* Full compromise of backend administrative functionality depending on role permissions.\n\nSince the payload executes automatically without user interaction once stored, exploitation requires minimal effort and can impact all backend users.",
"id": "GHSA-fc4p-p49v-r948",
"modified": "2026-04-06T17:15:59Z",
"published": "2026-04-01T22:09:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34571"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CI4MS: Stored Cross\u2011Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…