Peeefour

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. (affected versions not specified) **Description** The application does not properly sanitize user-controlled input when updating profile names, allowing an attacker to inject a malicious JavaScript payload. This payload is stored server-side and executed when the name is rendered in multiple application views, leading to stored cross-site scripting (XSS). The issue affects user profile storage and retrieval logic, as well as endpoints such as `/backend/users/profile/` and `/backend/users/`. The vulnerability can lead to privilege escalation and account takeover, particularly when viewed by administrators and on public-facing pages displaying user profiles. The attack scenario involves an attacker updating their profile name with an XSS payload, which then executes in the browsers of users who view the profile, potentially leading to administrative privilege escalation and full admin account takeover. **Recommendations** 1. Eliminate unsafe DOM sinks such as `.html()`, `innerHTML`, and replace them with safe alternatives like `.text()` or `textContent`. 2. Implement context-appropriate HTML entity encoding for all user-controlled data before rendering it in the DOM. 3. Implement server-side input sanitization on all user-controlled fields, especially profile name fields, before storing values in the database. 4. Apply a defense-in-depth approach, combining input validation, output encoding, and Content Security Policy (CSP) headers.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). The vulnerable functionality involves adding posts to navigation menus via the `Posts` section in Menu Management. An attacker can create or control a post containing a malicious JavaScript payload, add it to the menu, and the payload will execute whenever the menu is rendered. This can lead to privilege escalation, full administrator account takeover, and full compromise of the application. The affected API endpoint is `/backend/menu/`. The vulnerability involves unsafe rendering of post entries in menu management, specifically when adding posts to navigation menus. **Recommendations** Prior to version 0.31.0.0, avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag on session cookies, the `SameSite` attribute, and the `Secure` flag for HTTPS transmission.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is then rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). The vulnerable functionality includes the Menu Management – Pages section, adding pages to navigation menus, and the menu storage and rendering logic. An attacker can create or control a page containing a malicious JavaScript payload, add the page to the menu, and the payload will execute whenever the menu is rendered. This can lead to privilege escalation, full administrator account takeover, and full compromise of the application. The vulnerable API endpoint is `/backend/menu/`. **Recommendations** Versions prior to 0.31.0.0: Upgrade to version 0.31.0.0 or later to address the vulnerability. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Apply HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS, a CodeIgniter 4-based CMS, is susceptible to stored DOM-based cross-site scripting (XSS) through the Page Management functionality. The application does not properly sanitize user-controlled input in multiple fields during page creation or editing. These unsanitized values are stored server-side and rendered without output encoding in administrative page lists and public-facing page views, enabling the execution of malicious JavaScript payloads. Affected fields include Title, URL, Content, Cover Image, Image URL, Image Width, Image Height, SEO Description, and SEO Keywords. An attacker can inject a payload into these fields, which will then execute in the browsers of administrators, authenticated users, and visitors. The affected API endpoints are `/backend/pages/create`, the page list management view, and public-facing page views. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Avoid using unsafe DOM manipulation methods like `.html()` or `innerHTML`. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog post creation, editing, storage, and retrieval logic. Attackers can exploit this by inserting an XSS payload into blog post content, which then executes automatically when the post is viewed. Affected API endpoints include `/backend/blogs/create`, `/backend/blogs/`, and `/blog/{id}`. The vulnerable parameter is the blog post content itself. **Recommendations** Apply output encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag, the SameSite attribute, and the Secure flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog category creation and editing, as well as the storage and retrieval logic for blog categories. The attack involves creating or editing a blog category title with an XSS payload, which then executes automatically when the category title is rendered. The affected API endpoints are `/backend/blogs/categories/` and `/blog/{id}`. **Recommendations** Update to version 0.31.0.0 or later to address this issue. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS is a CodeIgniter 4-based CMS skeleton offering a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application does not properly sanitize user-controlled input within group and role management functionality. Multiple input fields related to groups can be injected with malicious JavaScript payloads, which are then stored on the server. These stored payloads are rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. The issue allows for privilege escalation to administrative levels. The affected input fields are related to group management. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS is a CodeIgniter 4-based CMS skeleton providing a modular architecture with RBAC authorization and theme support. The application does not properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). The issue occurs due to insufficient input validation and output encoding, allowing for the injection of malicious scripts. The vulnerable functionality involves the creation and management of application methods/pages. **Recommendations** Update CI4MS to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS, a CodeIgniter 4-based CMS skeleton, does not properly sanitize user-controlled input within System Settings – Mail Settings. Configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and rendered without proper output encoding. This results in stored, same-page DOM-based Cross-Site Scripting (XSS). The issue allows an attacker to inject a malicious JavaScript payload into these fields, which then executes immediately on the same settings page in the browser context of the authenticated user. The affected functionality includes the System Settings – Mail Settings configuration and the rendering of user-controlled input fields. The API endpoint `/backend/settings/` (Mail Settings) is involved. Vulnerable parameters include `Mail Server`, `Mail Port`, `Email Address`, `Email Password`, `Mail Protocol`, and `Domain`. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Apply proper HTML encoding and input sanitization for all configuration fields. Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation. Audit all other system settings fields for similar attribute injection vulnerabilities.

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Fortinet FortiOS (affected versions not specified) Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to stored cross-site scripting (XSS) due to improper sanitization of user-controlled input when creating or editing blog posts in the Categories section. This allows an attacker to inject a malicious JavaScript payload into the Categories content, which is then stored server-side and rendered unsafely when the Categories are viewed via blog posts. Fortinet FortiOS is affected by a heap-based buffer overflow in the SSL VPN component, enabling attackers to gain full control of the firewall by sending a crafted packet without authentication. This impacts thousands of enterprise perimeters. Recommendations Update CI4MS to version 0.31.0.0 or later. Upgrade Fortinet FortiOS to version 7.4.6 or later, 7.6.1 or later, or the latest patched build via FortiGuard/auto-update and reboot.