Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
Summary:
An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via an SQLl file that tampers with the file name field to contain hidden XSS payload.
AnalysisAI
Remote code execution and full account takeover in CI4MS (CodeIgniter 4 CMS/ERP) allows authenticated high-privilege users to escalate to superadmin and compromise all accounts via stored DOM XSS in backup module filename fields. Attackers craft malicious SQL backup files containing hidden JavaScript payloads that execute when administrators view backup listings. Vendor-released patch available in version 0.31.5.0, addressing XSS via output escaping in DataTables rendering. No CISA KEV listing or public POC identified at time of analysis, but CVSS 9.1 Critical reflects scope change and multi-stage exploitation potential.
Technical ContextAI
CI4MS is a CodeIgniter 4-based content management and ERP system written in PHP. The vulnerability stems from CWE-79 (Cross-Site Scripting) in the backup management module's filename handling. When backup files (SQL dumps) are uploaded or restored, the application stores filename metadata in the database without sanitization. The backup listing interface uses DataTables to dynamically render filenames from database records without proper output encoding. An attacker with high privileges (PR:H) can upload a crafted SQL file containing embedded XSS payloads in the filename field. When other administrators access the backup management interface, the malicious JavaScript executes in their browser context (Stored DOM XSS), enabling session hijacking and further privilege escalation. The CPE identifier pkg:composer/ci4-cms-erp_ci4ms confirms this affects the Composer-distributed PHP package. The CVSS scope change (S:C) indicates the vulnerability breaks trust boundaries, allowing attackers to pivot from backup module access to full administrative control.
RemediationAI
Upgrade immediately to CI4MS version 0.31.5.0 or later, available at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0. The patch applies output escaping via esc() function to DataTables filename rendering in the Backup module, preventing stored DOM XSS execution. The release also addresses related vulnerabilities including Zip Slip RCE in backup restore and IDOR privilege escalation in UserController. If immediate upgrade is not feasible, implement compensating controls: restrict backup module access to only essential superadmin accounts (reduces attack surface by limiting who can upload malicious files), enable Content Security Policy headers to block inline script execution (add 'unsafe-inline' restrictions to script-src directive), and audit existing backup files for suspicious filenames containing JavaScript syntax (look for patterns like <script>, onerror=, or encoded payloads). Note that access restrictions only reduce likelihood, not vulnerability - they do not prevent exploitation if a trusted high-privilege account is already compromised. Manual input sanitization via output encoding is complex and error-prone compared to vendor patch. Vendor release notes at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 credit security researchers @offset, @bugmithlegend, @peeefour, and @DexterHK for coordinated disclosure.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28253
GHSA-qxpq-82f3-xj47