This vulnerability in CI4MS allows an attacker to inject malicious JavaScript into the system’s mail configuration settings. Because the input is stored and later rendered without proper output encoding, the attack manifests as a stored DOM‑based cross‑site scripting flaw. When an affected user or administrator loads the compromised configuration page, the attacker‑controlled script executes with the privileges of that user, potentially exposing credentials, session cookies, and enabling full platform compromise or account takeover across all roles.

The issue affects releases of ci4‑cms‑erp’s CI4MS CMS skeleton prior to version 0.31.0.0. All installations that have not adopted this security update are vulnerable. Vendors and developers using this CMS should verify the installed version and plan an upgrade.

The vulnerability is exploitable through the web‑based configuration interface. An attacker only needs to submit malicious content into the Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, or TLS settings fields. Once stored, the payload is executed whenever the settings page is rendered, giving the attacker client‑side script execution that can be leveraged for session hijacking, credential theft, or privilege escalation. The CVSS score of 4.7 indicates moderate complexity, and the EPSS of less than 1% suggests low probability of exploitation. The flaw is not listed in the CISA KEV catalog, but the documented impact warrants proactive remediation.