CVE-2026-34564
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Description
## Summary ### **Vulnerability: Stored DOM XSS via Pages Added to Menu (Persistent Payload Injection)** - Stored Cross-Site Scripting via Unsafe Rendering of Page Entries in Menu Management ### Description The application fails to properly sanitize user-controlled input when **adding Pages to navigation menus** through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). ### Affected Functionality - Menu Management – Pages section - Adding pages to navigation menus - Menu storage and rendering logic ### Attack Scenario - An attacker creates or controls a page containing a malicious JavaScript payload. - The attacker adds the page to the menu using the **Pages** functionality in Menu Manager. - The application stores the menu entry without sanitization or encoding. - The payload persists and executes whenever the menu is rendered in administrative or public-facing interfaces. ### Impact - Persistent Stored DOM XSS - Execution of arbitrary JavaScript in victims’ browsers - Privilege escalation when viewed by administrators or privileged users - Full administrator account takeover - Full account takeover across all roles via the navigation menu - Full compromise of the entire application due to global execution in the navigation menu **Endpoint:** - `/backend/menu/` ## Steps To Reproduce (POC) 1. Navigate to the **Menu Management** section of the application. 2. Use the **Pages** functionality to add a page containing an XSS payload such as: `<img src=x onerror=alert(document.domain)>` 3. Save the menu entry. 4. View the menu in the administrative panel or any public-facing page. 5. Observe the JavaScript payload executing automatically when the menu is rendered. ## Remediation - **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit. - **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input. - **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority. - **Enforce security headers and cookie attributes:** - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts. - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access. - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks. - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute. These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS. # Ready Video POC: https://mega.nz/file/2c8lHSBQ#vwFDj0vhq7vLwMJjBjnAgbHWiIdFqUxAA913H_yQExQ