CVE-2026-34563

Description

## Summary ### **Vulnerability: Stored DOM Blind XSS via Backup Management Filename (Persistent Payload Injection)** - Stored Cross-Site Scripting (Blind XSS) via Unsanitized Backup Filename in Backup Management ### Description The application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded `xss.sql`, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). ### Affected Functionality - Backup upload functionality - Backup processing functionality - Backup storage and retrieval logic ### Attack Scenario - An attacker uploads `xss.sql` which uses SQL functionality to insert a malicious XSS payload into the backup filename field server-side. - The application stores this filename without sanitization or encoding. - The payload persists and executes whenever the backup filename is rendered in affected views. - The attacker does not see immediate execution, making this a Blind XSS scenario that triggers only when an administrator or privileged user views the backup management panel. ### Impact - Persistent Stored Blind XSS - Execution of arbitrary JavaScript in victims’ browsers - Privilege escalation when viewed by administrators or privileged users - Full administrator account takeover - Full account takeover across all roles - Full compromise of the entire application Endpoints: - `/backend/backup/upload` - `/backend/backup/` - `/backup/{id}` ## Steps To Reproduce (POC) 1. Upload `xss.sql` via the Backup Upload functionality 2. Ensure the SQL executes and inserts an XSS payload into the backup filename field such as: `<img src=x onerror=alert(document.domain)>` 3. Navigate to the Backup Management panel as an administrator 4. View the backup entry via the administrative panel 5. Notice the XSS payload executing automatically (Blind XSS) ## Remediation - **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit. - **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input. - **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority. - **Enforce security headers and cookie attributes:** - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts. - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access. - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks. - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute. These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS. # Ready Video POC: https://mega.nz/file/eNFXgAAA#IETbPcKwr5vVLqJIAdc3uy4qgcVTgyPb_2HhB4zcwAE

Affected packages (1)

• Packagist/ci4-cms-erp/ci4msfrom 0, < 0.31.0.0

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34563
• PATCHhttps://github.com/ci4-cms-erp/ci4ms
• WEBhttps://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
• WEBhttps://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf