Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting via srcdoc attribute bypass
Action: Patch Immediately
AI Analysis

Impact

CI4MS, a CodeIgniter 4 CMS skeleton, contains a stored cross‑site scripting flaw in the Google Maps iframe configuration. Administrators edit the cMap field and the input is filtered with strip_tags() and a regex that removes onW+ event handlers. The filter does not guard the srcdoc attribute, so an attacker can inject an iframe element with encoded JavaScript in the srcdoc value. The script runs in the browser of any unauthenticated visitor who views the affected page, allowing cookie theft, page defacement, or further malicious actions.

Affected Systems

The vulnerability exists in all CI4MS versions prior to 0.31.4.0. The susceptible component is compInfosPost() handling the cMap field. Only users with administrative privileges can create or alter this field, so an attacker first needs to compromise or abuse admin credentials. Once stored, the payload propagates to every visitor of the rendered page.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity; EPSS is not available and the flaw is not listed in KEV, suggesting no known widespread exploitation. However, the attack requires admin access—a significant hurdle—yet the impact is serious because injected code runs with the victim’s browser privileges. Organizations running vulnerable CI4MS installations should treat the flaw as high‑priority, especially if unpatched admin accounts or insufficient monitoring for unexpected iframe content exist.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CI4MS 0.31.4.0 or later to apply the fixed srcdoc filtering logic.
  • If an immediate upgrade is not possible, remove or disable the Google Maps iframe feature or enforce a stricter whitelist that excludes the srcdoc attribute.
  • Apply a temporary filter to strip or neutralize srcdoc attributes before storing the value.
  • Audit and rotate administrative credentials; ensure that only trusted users have access to the settings.
  • Monitor the compInfosPost() data for unexpected iframe tags or encoded scripts and retract any malicious content if discovered.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x3hr-cp7x-44r2 CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Title CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:13:16.580Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39390

cve-icon Vulnrichment

Updated: 2026-04-08T16:09:40.094Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:13.750

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:21Z

Weaknesses