Stored XSS in CI4MS Page Management

Successful exploitation allows an attacker to inject persistent JavaScript into page content or metadata rendered by the application. When viewed in affected administrative interfaces or public-facing pages, the payload can execute in the victim's browser in the context of the CI4MS application. This can enable session theft, unauthorized actions on behalf of authenticated users, administrative interface compromise, content manipulation, and access to sensitive data exposed to the browser. Because the vulnerable content is rendered in both admin and public contexts, impact may extend to privileged users as well as site visitors.

If immediate upgrade is not possible, restrict access to Page Management to trusted users only, monitor and review newly created or edited pages for injected script content, and apply strict contextual output encoding to all user-supplied page fields before rendering. Deploy a restrictive Content Security Policy where feasible to reduce script execution impact, though CSP should not be treated as a complete fix for stored XSS. Administrators should also inspect existing page records for previously stored malicious payloads.

Upgrade CI4MS to version 0.31.0.0 or later, which patches the vulnerable Page Management handling. Review and correct server-side input handling and output encoding for all page creation and editing fields, especially any fields rendered into administrative listings and public page views. Existing stored content should be audited for malicious payloads and sanitized or removed after patching.