Listen to this Post
How the vulnerability works:
The `ajax_blackList_post()` method in `UserController.php` (lines 344-362) accepts a `note` POST parameter with only a `required` validation rule, no sanitization. The raw input is passed to `$user->ban()` which uses Shield’s `Bannable::ban()` trait to store the message as-is in the database `status_message` field. Later, the `users()` method (lines 13-91) builds a DataTables JSON response. For banned users, it concatenates `$result->status_message` directly into an HTML `data-note` attribute without escaping (esc() is missing, unlike line 55 where other fields are escaped). The unsanitized string becomes part of the DOM when DataTables renders the row. CSP is disabled ($CSPEnabled = false in App.php), and no SecureHeaders filter applies. An admin with blacklist privileges can inject JavaScript via the `note` parameter. For example, `note=” onmouseover=”alert(document.cookie)” x=”` creates a <button data-note="" onmouseover="alert(document.cookie)" x="">. The payload fires when another admin hovers over the blacklist button. An alternative immediate-execution payload: note="><img src=x onerror=alert(document.cookie)>. The injected script runs in the context of any admin viewing /backend/users, leading to persistent XSS stored in the database.
dailycve form:
Platform: CodeIgniter Shield
Version: Unknown version
Vulnerability: Stored XSS note
Severity: Medium
date: 2026-04-09
Prediction: 2026-04-30
What Undercode Say:
Check if CSP is disabled grep "CSPEnabled" app/Config/App.php Search for unsafe concatenation in UserController grep -n 'data-note="' modules/Users/Controllers/UserController.php Simulate attack with curl (replace TARGET and SESSION) curl -X POST 'https://TARGET/backend/users/blackList' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'Cookie: ci_session=ADMIN_SESSION' \ -d 'uid=2¬e=%22+onmouseover%3D%22alert(document.cookie)%22+x%3D%22'
Exploit:
1. Identify an admin account with blacklist privileges.
- Send POST request to `/backend/users/blackList` with `uid` of target user and `note` containing XSS payload (e.g.,
"><img src=x onerror=alert(document.cookie)>). - Wait for any other admin to visit `/backend/users` – the payload executes immediately or on hover, stealing session cookies.
Protection from this CVE:
- Apply `esc($result->status_message)` in `UserController.php` line 58-59.
- Enable CSP (
$CSPEnabled = trueinApp.php). - Use `strip_tags()` or `htmlspecialchars()` before storing ban notes.
- Limit blacklist privileges to trusted superadmins only.
Impact:
- Persistent stored XSS affecting all admins viewing user list.
- Session hijacking – attacker steals admin cookies, including superadmin sessions.
- Privilege escalation – low-privileged admin can gain full control.
- Payload remains in database, re-triggering on every page load.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

