CVE-2026-34560
CI4MS · CI4MS
A stored blind XSS vulnerability in the CI4MS logs interface allows attackers to execute malicious scripts when an administrator views the application logs.
Executive summary
CI4MS contains a stored Blind XSS vulnerability in its logging system, enabling potential malicious script execution within administrative sessions.
Vulnerability
The application fails to properly encode log data before rendering it in the logs interface. Attackers can inject malicious payloads into application logs, which execute once an administrator navigates to the log management dashboard.
Business impact
This vulnerability enables attackers to perform actions on behalf of administrators, potentially leading to a full system compromise. The high CVSS score of 9.1 underscores the severity of allowing arbitrary code execution within the administrative control panel. Failure to remediate could result in significant data breaches or loss of administrative control.
Remediation
Immediate Action: Update CI4MS to version 0.31.0.0 to ensure proper output encoding of all logged data.
Proactive Monitoring: Regularly review log files for anomalous entries containing script tags or unexpected characters.
Compensating Controls: Restrict access to the administrative logs interface to trusted IP addresses and utilize a WAF to filter malicious payloads from incoming requests.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vulnerability represents a critical risk due to its ability to target administrative users through standard system monitoring interfaces. Applying the vendor-provided patch is the only effective way to mitigate this risk and ensure the security of the management console.