A critical stored XSS vulnerability in CI4MS allows attackers to compromise administrative sessions by injecting malicious JavaScript into group and role management fields.

The application fails to sanitize input in three distinct group-related fields within the RBAC management module. Malicious payloads are stored on the server and rendered without encoding in privileged administrative views, enabling stored Cross-Site Scripting (XSS).

This vulnerability can be used to hijack administrative sessions, steal CSRF tokens, or redirect administrators to malicious websites. Given the high CVSS score of 9.1, this stored XSS is considered critical because it targets the most privileged users of the CMS, potentially leading to a full application takeover.

Immediate Action: Upgrade CI4MS to version 0.31.0.0 or higher to implement proper input sanitization and output encoding for the affected management fields.

Proactive Monitoring: Inspect the database for existing JavaScript payloads in group and role tables and monitor for unusual administrative browser activity.

Compensating Controls: Implement a strong Content Security Policy (CSP) to prevent the execution of unauthorized inline scripts and restrict script sources.

Public Exploit Available: No

The severity of this XSS flaw necessitates an immediate update to version 0.31.0.0. Security teams should also verify that no malicious scripts have already been stored in the database prior to the update.