CVE-2026-34566

Description

## Summary ### **Vulnerability: Stored DOM XSS via Page Management Fields (Persistent Payload Injection)** - Stored Cross-Site Scripting via Unsanitized Page Creation and Editing Inputs ### Description The application fails to properly sanitize user-controlled input within the **Page Management** functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). ### Affected Functionality - Page creation functionality - Page editing functionality - Page list and management views - Public-facing page rendering - Storage and retrieval of page-related data ### Affected Fields - Title - URL - Content - Cover Image - Image URL - Image Width - Image Height - SEO Description - SEO Keywords ### Attack Scenario - An attacker creates or edits a page and injects a malicious XSS payload into one or more page-related input fields. - The application stores these values without sanitization or encoding. - The payload is rendered in administrative page lists and public-facing page views. - The payload executes automatically in the browser context of administrators, authenticated users, and unauthenticated visitors. ### Impact - Persistent Stored XSS - Execution of arbitrary JavaScript in victims’ browsers - Privilege escalation when viewed by administrators or privileged users - Full administrator account takeover - Full account takeover across all roles - Full compromise of the entire application Endpoints: - `/backend/pages/create` - Page list management view - Public-facing page views ## Steps To Reproduce (POC) 1. Navigate to the Page Management -> Add Page interface 2. Insert an XSS payload into any page-related field such as: `<img src=x onerror=alert(document.domain)>` 3. Save or publish the page 4. View the page via the administrative page list or public-facing page 5. Observe the XSS payload executing automatically ## Remediation - **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit. - **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input. - **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority. - **Enforce security headers and cookie attributes:** - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts. - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access. - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks. - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute. These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS. # Ready Video POC: https://mega.nz/file/iAkWAKQY#hCUv4DlMPFykPvb4gO94ZVGj64tpUk99gLxE6u1kASk

Affected packages (1)

• Packagist/ci4-cms-erp/ci4msfrom 0, < 0.31.0.0

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34566
• PATCHhttps://github.com/ci4-cms-erp/ci4ms
• WEBhttps://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
• WEBhttps://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5