CodeIgniter Shield, Stored XSS, (No CVE) Medium

Listen to this Post

How the vulnerability works:

The `ajax_blackList_post()` method in `UserController.php` (lines 344-362) accepts a `note` POST parameter with only a `required` validation rule, no sanitization. The raw input is passed to `$user->ban()` which uses Shield’s `Bannable::ban()` trait to store the message as-is in the database `status_message` field. Later, the `users()` method (lines 13-91) builds a DataTables JSON response. For banned users, it concatenates `$result->status_message` directly into an HTML `data-note` attribute without escaping (esc() is missing, unlike line 55 where other fields are escaped). The unsanitized string becomes part of the DOM when DataTables renders the row. CSP is disabled ($CSPEnabled = false in App.php), and no SecureHeaders filter applies. An admin with blacklist privileges can inject JavaScript via the `note` parameter. For example, `note=” onmouseover=”alert(document.cookie)” x=”` creates a <button data-note="" onmouseover="alert(document.cookie)" x="">. The payload fires when another admin hovers over the blacklist button. An alternative immediate-execution payload: note="><img src=x onerror=alert(document.cookie)>. The injected script runs in the context of any admin viewing /backend/users, leading to persistent XSS stored in the database.

dailycve form:

Platform: CodeIgniter Shield
Version: Unknown version
Vulnerability: Stored XSS note
Severity: Medium
date: 2026-04-09

Prediction: 2026-04-30

What Undercode Say:

Check if CSP is disabled
grep "CSPEnabled" app/Config/App.php
Search for unsafe concatenation in UserController
grep -n 'data-note="' modules/Users/Controllers/UserController.php
Simulate attack with curl (replace TARGET and SESSION)
curl -X POST 'https://TARGET/backend/users/blackList' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Cookie: ci_session=ADMIN_SESSION' \
-d 'uid=2¬e=%22+onmouseover%3D%22alert(document.cookie)%22+x%3D%22'

Exploit:

1. Identify an admin account with blacklist privileges.

  1. Send POST request to `/backend/users/blackList` with `uid` of target user and `note` containing XSS payload (e.g., "><img src=x onerror=alert(document.cookie)>).
  2. Wait for any other admin to visit `/backend/users` – the payload executes immediately or on hover, stealing session cookies.

Protection from this CVE:

  • Apply `esc($result->status_message)` in `UserController.php` line 58-59.
  • Enable CSP ($CSPEnabled = true in App.php).
  • Use `strip_tags()` or `htmlspecialchars()` before storing ban notes.
  • Limit blacklist privileges to trusted superadmins only.

Impact:

  • Persistent stored XSS affecting all admins viewing user list.
  • Session hijacking – attacker steals admin cookies, including superadmin sessions.
  • Privilege escalation – low-privileged admin can gain full control.
  • Payload remains in database, re-triggering on every page load.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top