EUVD-2026-20483
GHSA-x3hr-cp7x-44r2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Analysis
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today