PT-2026-30012 · Packagist+1 · Ci4-Cms-Erp/Ci4Ms+1
Bugmithlegend
+1
·
Published
2026-04-03
·
Updated
2026-04-27
·
CVE-2026-34989
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
The product name cannot be determined. (affected versions not specified)
Description
The application does not properly sanitize user-controlled input when updating profile names, allowing an attacker to inject a malicious JavaScript payload. This payload is stored server-side and executed when the name is rendered in multiple application views, leading to stored cross-site scripting (XSS). The issue affects user profile storage and retrieval logic, as well as endpoints such as
/backend/users/profile/ and /backend/users/. The vulnerability can lead to privilege escalation and account takeover, particularly when viewed by administrators and on public-facing pages displaying user profiles. The attack scenario involves an attacker updating their profile name with an XSS payload, which then executes in the browsers of users who view the profile, potentially leading to administrative privilege escalation and full admin account takeover.Recommendations
- Eliminate unsafe DOM sinks such as
.html(),innerHTML, and replace them with safe alternatives like.text()ortextContent. - Implement context-appropriate HTML entity encoding for all user-controlled data before rendering it in the DOM.
- Implement server-side input sanitization on all user-controlled fields, especially profile name fields, before storing values in the database.
- Apply a defense-in-depth approach, combining input validation, output encoding, and Content Security Policy (CSP) headers.
Exploit
Fix
LPE
Improper Privilege Management
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ci4-Cms-Erp/Ci4Ms
Ci4Ms