GHSA-qxpq-82f3-xj47
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qxpq-82f3-xj47
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qxpq-82f3-xj47/GHSA-qxpq-82f3-xj47.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qxpq-82f3-xj47
- Aliases
- Published
- 2026-04-22T17:27:46Z
- Modified
- 2026-05-08T20:21:25.878447Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS
- Details
-
An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-04-22T17:27:46Z", "nvd_published_at": "2026-05-07T04:16:26Z", "severity": "MODERATE" }- References
Affected packages
Packagist / ci4-cms-erp/ci4ms
Package
- Name
- ci4-cms-erp/ci4ms
- Purl
- pkg:composer/ci4-cms-erp/ci4ms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.31.5.0
Affected versions
0.*
0.21.0
0.21.1
0.21.2
0.21.3
0.21.3.1
0.21.3.2
0.21.3.3
0.21.3.4
0.21.3.5
0.21.3.6
0.21.3.7
0.23.0.0
0.23.0.1
0.23.0.2
0.23.1.0
0.24.0.0
0.24.0.16
0.24.0.18
0.24.0.19
0.24.0.20
0.24.0.27
0.24.0.42
0.24.0.45
0.24.0.60
0.25.0.0
0.25.0.1
0.25.0.2
0.25.0.30
0.25.0.39
0.25.0.43
0.25.1.0
0.25.2.0
0.25.3.0
0.26.0.0
0.26.1.0
0.26.2.0
0.26.3.0
0.26.3.1
0.26.3.2
0.26.3.3
0.26.3.4
0.27.0.0
0.28.0.0
0.28.3.0
0.28.4.0
0.28.5.0
0.28.6.0
0.31.0.0
0.31.1.0
0.31.2.0
0.31.3.0
0.31.4.0