Ci4ms
Monthly
Environment file injection in CI4MS versions prior to 0.31.4.0 allows remote attackers to inject arbitrary configuration directives by exploiting unvalidated newline characters in the host parameter during installation. The Install::index() controller's CSRF protection is intentionally disabled, and InstallFilter bypass is possible when settings cache expires or on fresh deployments. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite proof-of-concept availability (SSVC: poc). CVSS 8.1 reflects high potential impact but is tempered by high attack complexity (AC:H) requiring specific timing conditions.
CI4MS CMS skeleton versions below 0.31.4.0 permit complete application takeover through installation wizard re-access when the database becomes unreachable. Unauthenticated remote attackers exploit a race condition window during cache expiry or database downtime to bypass the install route guard and inject malicious database credentials into the .env configuration file. No active exploitation confirmed (not in CISA KEV), EPSS probability 0.01% indicates low observed targeting. Vendor patch released in version 0.31.4.0.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
CI4MS (CodeIgniter 4 CMS) versions prior to 0.31.4.0 contain an authentication bypass vulnerability (CWE-285) that allows high-privileged users to escalate or circumvent authorization controls. The vulnerability affects the role-based access control (RBAC) system in CI4MS, enabling authenticated administrators to gain unauthorized access to protected resources or functions. With a CVSS score of 6.7 and EPSS exploitation probability indicating moderate real-world risk, this requires immediate patching in production deployments.
Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. CVSS 7.2 (High) with network attack vector and low complexity, requiring high privileges (PR:H). No public exploit identified at time of analysis. EPSS data not available.
Session fixation vulnerability in CI4MS (CodeIgniter 4 CMS) allows deactivated user accounts to maintain indefinite access through active sessions. Authenticated attackers whose accounts have been administratively disabled retain full high-privilege access (confidentiality, integrity, availability impact) until manual logout, bypassing intended access controls. Affects all versions prior to 0.31.0.0. EPSS data not available; no public exploit identified at time of analysis. CVSS 8.8 (High) reflects significant post-compromise persistence risk in enterprise CMS deployments with role-based access control.
Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).
Session persistence in CI4MS (CodeIgniter 4 CMS skeleton) allows deleted user accounts to retain full system access indefinitely through active sessions until manual logout. Affects all versions prior to 0.31.0.0. The authentication bypass enables unauthorized access to protected resources with high confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (CVSS 10.0 Critical). No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to abuse by maintaining an active session before account deletion.
Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.
Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.
Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Stored cross-site scripting in CI4MS menu management allows authenticated attackers to inject malicious scripts that execute in administrative and public contexts with changed scope impact. Affecting all CI4MS versions prior to 0.31.0.0, attackers with low-level privileges can exploit inadequate input sanitization in the Pages-to-navigation-menu workflow to persistently embed DOM-based XSS payloads. CVSS 9.1 (Critical) with scope change (S:C) indicates privilege escalation potential across trust boundaries. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though exploitation probability exists given low attack complexity (AC:L) and no user interaction requirement (UI:N).
Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. Vendor-released patch available in version 0.31.0.0. CVSS 9.1 (Critical) with network attack vector, low complexity, and low privilege requirement. No public exploit identified at time of analysis, though EPSS data unavailable for this recently disclosed GitHub-sourced CVE.
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts via unencoded System Settings - Company Information fields, which are later rendered to other users without proper output encoding. The vulnerability requires administrative privileges to exploit but poses a real risk in multi-user deployments where admin accounts may be compromised or where trust boundaries exist between administrative roles.
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. This is a stored XSS vulnerability with limited real-world impact due to high-privilege prerequisite (PR:H), though it undermines the integrity and confidentiality of the CMS for downstream users viewing the affected settings.
Blind stored XSS in CI4MS CMS log viewer allows authenticated attackers to execute JavaScript in administrator sessions when reviewing application logs. Affects CI4MS versions prior to 0.31.0.0. The vulnerability enables low-privilege authenticated users to inject malicious payloads that persist in logs and execute when administrators access the logs interface (CVSS 9.1, Critical). EPSS data not available; no public exploit identified at time of analysis, though the attack technique is well-documented in XSS literature.
Stored cross-site scripting in CI4MS blog tag management (versions prior to 0.31.0.0) allows authenticated attackers to inject malicious JavaScript through unsanitized tag name fields, achieving code execution in victim browsers with scope change (CVSS 9.1, S:C). The payload persists server-side and executes on public tag pages and administrative interfaces, enabling session hijacking, credential theft, and administrative account compromise. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users with tag creation privileges.
Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.
Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.
CI4MS (CodeIgniter 4 CMS skeleton) has a code injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary PHP code through the CMS module system.
CI4MS prior to version 0.28.5.0 contains an email enumeration vulnerability in its password reset functionality that allows unauthenticated attackers to determine whether specific email addresses are registered in the system. An attacker can exploit this information disclosure by analyzing response patterns during the authentication process to build a list of valid user accounts. A patch is available in version 0.28.5.0 and later.
Environment file injection in CI4MS versions prior to 0.31.4.0 allows remote attackers to inject arbitrary configuration directives by exploiting unvalidated newline characters in the host parameter during installation. The Install::index() controller's CSRF protection is intentionally disabled, and InstallFilter bypass is possible when settings cache expires or on fresh deployments. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite proof-of-concept availability (SSVC: poc). CVSS 8.1 reflects high potential impact but is tempered by high attack complexity (AC:H) requiring specific timing conditions.
CI4MS CMS skeleton versions below 0.31.4.0 permit complete application takeover through installation wizard re-access when the database becomes unreachable. Unauthenticated remote attackers exploit a race condition window during cache expiry or database downtime to bypass the install route guard and inject malicious database credentials into the .env configuration file. No active exploitation confirmed (not in CISA KEV), EPSS probability 0.01% indicates low observed targeting. Vendor patch released in version 0.31.4.0.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
CI4MS (CodeIgniter 4 CMS) versions prior to 0.31.4.0 contain an authentication bypass vulnerability (CWE-285) that allows high-privileged users to escalate or circumvent authorization controls. The vulnerability affects the role-based access control (RBAC) system in CI4MS, enabling authenticated administrators to gain unauthorized access to protected resources or functions. With a CVSS score of 6.7 and EPSS exploitation probability indicating moderate real-world risk, this requires immediate patching in production deployments.
Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. CVSS 7.2 (High) with network attack vector and low complexity, requiring high privileges (PR:H). No public exploit identified at time of analysis. EPSS data not available.
Session fixation vulnerability in CI4MS (CodeIgniter 4 CMS) allows deactivated user accounts to maintain indefinite access through active sessions. Authenticated attackers whose accounts have been administratively disabled retain full high-privilege access (confidentiality, integrity, availability impact) until manual logout, bypassing intended access controls. Affects all versions prior to 0.31.0.0. EPSS data not available; no public exploit identified at time of analysis. CVSS 8.8 (High) reflects significant post-compromise persistence risk in enterprise CMS deployments with role-based access control.
Stored cross-site scripting in CI4MS backend user management allows authenticated attackers with low-level privileges to inject malicious JavaScript that executes automatically when administrators access affected pages, enabling session hijacking and full administrative account takeover. The vulnerability affects all versions prior to 0.31.0.0 with a critical CVSS score of 9.9 due to scope change and high impact across confidentiality, integrity, and availability. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis, though the technical barrier is low (AC:L, PR:L).
Session persistence in CI4MS (CodeIgniter 4 CMS skeleton) allows deleted user accounts to retain full system access indefinitely through active sessions until manual logout. Affects all versions prior to 0.31.0.0. The authentication bypass enables unauthorized access to protected resources with high confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (CVSS 10.0 Critical). No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to abuse by maintaining an active session before account deletion.
Stored cross-site scripting in CI4MS blog category management allows authenticated users to inject malicious JavaScript that executes across multiple application contexts including public blog pages and administrative interfaces. Affecting all versions prior to 0.31.0.0, attackers with low-privilege authenticated access can achieve scope change with high impact to confidentiality, integrity, and availability (CVSS 9.9). Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data unavailable and exploitation is straightforward given low attack complexity.
Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. Attack requires low-privilege authentication (PR:L) but has scope change (S:C), enabling session hijacking and credential theft across user contexts. Vendor-released patch available in version 0.31.0.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Stored cross-site scripting in CI4MS (CodeIgniter 4 CMS) allows authenticated users with blog post management privileges to inject malicious JavaScript through unsanitized category fields, affecting all users who view blog posts containing the poisoned categories. The vulnerability is confirmed patched in version 0.31.0.0. With CVSS 9.1 (Critical) due to scope change and high confidentiality impact, and low attack complexity requiring only low-privilege authentication, this represents significant risk in multi-user CMS environments despite no confirmed active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). Vendor-released patch version 0.31.0.0 addresses the input sanitization failures. No public exploit identified at time of analysis; CVSS 9.1 reflects the scope change and cross-context impact enabling privilege escalation and potential administrator session compromise.
Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Stored cross-site scripting in CI4MS menu management allows authenticated attackers to inject malicious scripts that execute in administrative and public contexts with changed scope impact. Affecting all CI4MS versions prior to 0.31.0.0, attackers with low-level privileges can exploit inadequate input sanitization in the Pages-to-navigation-menu workflow to persistently embed DOM-based XSS payloads. CVSS 9.1 (Critical) with scope change (S:C) indicates privilege escalation potential across trust boundaries. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though exploitation probability exists given low attack complexity (AC:L) and no user interaction requirement (UI:N).
Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. Vendor-released patch available in version 0.31.0.0. CVSS 9.1 (Critical) with network attack vector, low complexity, and low privilege requirement. No public exploit identified at time of analysis, though EPSS data unavailable for this recently disclosed GitHub-sourced CVE.
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts via unencoded System Settings - Company Information fields, which are later rendered to other users without proper output encoding. The vulnerability requires administrative privileges to exploit but poses a real risk in multi-user deployments where admin accounts may be compromised or where trust boundaries exist between administrative roles.
Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. This is a stored XSS vulnerability with limited real-world impact due to high-privilege prerequisite (PR:H), though it undermines the integrity and confidentiality of the CMS for downstream users viewing the affected settings.
Blind stored XSS in CI4MS CMS log viewer allows authenticated attackers to execute JavaScript in administrator sessions when reviewing application logs. Affects CI4MS versions prior to 0.31.0.0. The vulnerability enables low-privilege authenticated users to inject malicious payloads that persist in logs and execute when administrators access the logs interface (CVSS 9.1, Critical). EPSS data not available; no public exploit identified at time of analysis, though the attack technique is well-documented in XSS literature.
Stored cross-site scripting in CI4MS blog tag management (versions prior to 0.31.0.0) allows authenticated attackers to inject malicious JavaScript through unsanitized tag name fields, achieving code execution in victim browsers with scope change (CVSS 9.1, S:C). The payload persists server-side and executes on public tag pages and administrative interfaces, enabling session hijacking, credential theft, and administrative account compromise. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users with tag creation privileges.
Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.
Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.
CI4MS (CodeIgniter 4 CMS skeleton) has a code injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary PHP code through the CMS module system.
CI4MS prior to version 0.28.5.0 contains an email enumeration vulnerability in its password reset functionality that allows unauthenticated attackers to determine whether specific email addresses are registered in the system. An attacker can exploit this information disclosure by analyzing response patterns during the authentication process to build a list of valid user accounts. A patch is available in version 0.28.5.0 and later.