CI4MS is vulnerable to a critical stored XSS flaw in its administrative interface that allows for session hijacking and total backend takeover.

This is a Stored XSS vulnerability located in the backend user management functionality. An authenticated attacker can inject persistent JavaScript into user-controlled fields which then executes automatically when an administrator views the affected management page.

A successful exploit enables attackers to hijack administrative sessions, escalate privileges, and gain full control over the CMS. Despite being an XSS flaw, the CVSS score of 9.9 is justified by the direct path to full administrative compromise and system-wide impact.

Immediate Action: Update the CI4MS skeleton and associated modules to version 0.31.0.0 or higher immediately.

Proactive Monitoring: Audit backend user accounts for unauthorized additions or modifications and review access logs for suspicious administrative session activity.

Compensating Controls: Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and use a WAF to filter common XSS injection patterns.

Public Exploit Available: false

The ability to compromise administrative accounts via stored scripts is a critical risk. Administrators must apply the version 0.31.0.0 patch immediately to secure the backend management interface.