CI4MS Full-chain stored DOM XSS -> 50+ injection points -> full application compromise

INTRODUCTION

This research presents a full 0day XSS discovery and exploitation walkthrough conducted on the CI4MS application.

The focus of this study is not a single XSS instance, but how a recurring insecure pattern allowed XSS to scale across the entire application.

• How XSS sinks were identified in a PHP + jQuery stack

• How user-controlled input flows into those sinks

• How stored XSS was achieved and weaponized

• How one XSS primitive was scaled into 50+ vulnerabilities

• How it led to full account takeover and privilege escalation

---

XSS SURFACE MAPPING (PHP + jQuery)

Step 1: Identify DOM Injection Sinks

grep -RInE --exclude-dir={vendor,node_modules,public} "(innerHTML\s*=|outerHTML\s*=|insertAdjacentHTML|.html()" .

Focus:

.html() -> primary XSS sink innerHTML -> direct DOM execution

Step 2: Identify Server-Side Rendering

grep -RInE 'return\s+view|setBody|echo' modules/Menu/Controllers
grep -RInE '<?=\s*(?!esc()' modules/Menu/Views

Focus:

Raw HTML output Missing escaping (esc())

Step 3: Trace User Input Sources

grep -R "getPost" -n Modules/Menu grep -R "getVar" -n Modules/Menu Focus:

Focus:

Entry points for injection

Step 4: Map AJAX Data Flow

grep -nE "\(.ajax|\).get|\(.post|\).load|fetch(" ./modules/Menu/Views/menu.php

Focus:

Data returned -> injected into DOM

XSS EXECUTION FLOW

User Input (POST) -> Stored in Database -> Retrieved by Controller -> Rendered into HTML View -> Returned via AJAX -> Injected using .html() -> Browser executes payload

---

SOURCE CODE ANALYSIS

Injection Sink

\(('.dd').html(data); \)('#list').html(data)

jQuery .html() behaves like innerHTML and parses/executed injected HTML/JS.

User-Controlled Source 'title' => \(this->request->getPost('URLname'), 'seflink' => \)this->request->getPost('URL'), 'target' => $this->request->getPost('target')

No sanitization; stored directly in database.

Rendering Layer return view('Modules\Menu\Views\render-nestable2', ...)

Outputs raw HTML; no escaping applied.

Data Flow Summary:
User Input -> Database (unsanitized) -> View rendering (raw HTML) -> AJAX response -> .html() injection -> XSS execution

---

ROOT CAUSE

Server-rendered HTML containing user-controlled data is injected into the DOM using jQuery .html() without any escaping or sanitization, creating persistent stored XSS.

---

WHY THIS SCALES

Untrusted Input + Stored Without Sanitization + Rendered Without Escaping + .html() = Stored XSS Everywhere A single insecure pattern replicated across modules led to systemic compromise.

---

PROOF OF CONCEPT

<img src=x onerror=alert(document.domain)>

When stored as a menu title, executes for all users, persists across sessions, triggers via AJAX.

---

Impact

• Stored XSS across multiple application modules

• Full Account Takeover (all user roles, including administrative accounts depending on session context)

• Privilege escalation to administrative level upon account takeover

• Session compromise (session token exposure and/or session hijacking depending on cookie configuration)

• CSRF chaining to perform authenticated state-changing actions via compromised sessions

---

Amplifying Factors

• Missing output encoding on user-controlled inputs, enabling persistent script injection

• Missing Content Security Policy (CSP), increasing exploit reliability and reducing browser-level mitigation

• Cookies not protected with HttpOnly and Secure flags, increasing risk of session exposure and interception

• Missing or weak SameSite cookie restrictions, enabling cross-site request forgery (CSRF) scenarios

---

EXPLOITATION CHAIN

1. Stored XSS injection

2. Victim interaction (or automatic trigger via AJAX)

3. Session hijacking

4. Account takeover

5. Privilege escalation

6. Full application compromise

---

XSS HUNTING METHODOLOGY

This research followed a repeatable pattern:

1. Identify dangerous sinks (.html(), innerHTML)

2. Trace user input sources (getPost)

3. Follow data into storage

4. Analyze rendering behavior (return view)

5. Test payload execution

6. Search for pattern reuse across codebase

This approach allows scaling from 1 bug -> dozens of vulnerabilities, identifying systemic flaws, and turning low-level bugs into critical impact.

---

RESULTS & EXPLOITATION

CVE IMPACT OVERVIEW

Category	Module / Component	CVE ID	GHSA ID	Impact Type	Severity	Status
System Settings	Mail Settings	CVE-2026-27599	GHSA-66m2-v9v9-95c3	Stored XSS -> Full Platform Compromise & Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Permissions Management	CVE-2026-34557	GHSA-rpjr-985c-qhvm	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Methods Management	CVE-2026-34558	GHSA-v77r-xg3p-75g7	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Blogs Tags	CVE-2026-34559	GHSA-4333-387x-w245	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Logs Module	CVE-2026-34560	GHSA-r4v5-rwr2-q7r4	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
System Settings	Social Media Management	CVE-2026-34561	GHSA-gcfj-cf7j-vwgj	Stored XSS -> Full Platform Compromise & Full Account Takeover & Privilege-Escalation	Critical	Assigned
System Settings	Company Information	CVE-2026-34562	GHSA-v897-c6vq-6cr3	Stored XSS -> Full Platform Compromise & Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Backup Management	CVE-2026-34563	GHSA-85m8-g393-jcxf	Blind Stored XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Menu Management (Pages)	CVE-2026-34564	GHSA-g4pp-fhgf-8653	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Menu Management (Posts)	CVE-2026-34565	GHSA-xgh5-w62m-8mpr	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Pages Management	CVE-2026-34566	GHSA-458r-h248-29c5	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Blogs Posts (Categories)	CVE-2026-34567	GHSA-r33w-c82v-x5v7	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Blogs Posts	CVE-2026-34568	GHSA-x7wh-g25g-53vg	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Blogs Categories	CVE-2026-34569	GHSA-fhrf-q333-82fm	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Profile Management	CVE-2026-34571	GHSA-vr2g-rhm5-q4jr	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	User Management	CVE-2026-34989	GHSA-vr2g-rhm5-q4jr	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
System Settings	Public-Facing Company Information	CVE-2026-35035	GHSA-5ghq-42rg-769x	Stored DOM XSS -> Full Platform Compromise & Full Account Takeover & Privilege-Escalation	Critical	Assigned
Core Module	Backup Management v2 (filename field)	CVE-2026-41201	GHSA-vr2g-rhm5-q4jr	Stored DOM XSS -> Full Account Takeover & Privilege-Escalation	Critical	Assigned
Root Cause	CI4MS Architecture (Global Pattern)	None	(None)	Stored Input + Raw Render + .html() -> Systemic XSS	None	None

There're even much much more. The key finding is that the vulnerability was not limited to a single endpoint. The same unsafe .html() pattern was reused across the application, allowing a single stored XSS to scale into full application compromise.

---

FINAL TAKEAWAY

The vulnerability chain can be summarized as:

• Initial Stored XSS via unsanitized input

• Pattern reuse across the application (.html() sink)

• Expansion into 50+ XSS injection points

• Full session hijacking and account takeover

• Privilege escalation across all roles

• Chaining into CSRF and further attack vectors

The most dangerous bugs are not isolated vulnerabilities — they are insecure patterns embedded into the architecture.