dayrui XunRuiCMS Add Data Validation admind45f74adbd95.php cross site scripting
wordt vertaald…Platform
php
Component
vul
Opgelost in
4.7.1
4.7.2
CVE-2025-14006 describes a cross-site scripting (XSS) vulnerability discovered in XunRuiCMS versions 4.7.0 through 4.7.1. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The affected component is the Add Data Validation Page, specifically the /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 endpoint. While the CVSS score is LOW, the public disclosure and remote exploitability warrant immediate attention.
Impact en Aanvalsscenarioswordt vertaald…
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted data[name] parameter. When a user visits this URL, the injected script will execute in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact can range from minor annoyance to significant data compromise, depending on the attacker's goals and the user's privileges. Given the remote accessibility of the vulnerability, it presents a broad attack surface. The public disclosure increases the likelihood of exploitation by both automated scanners and targeted attackers.
Uitbuitingscontextwordt vertaald…
This vulnerability was publicly disclosed on 2025-12-04. The description indicates that the vendor was contacted but did not respond. The vulnerability is considered to be actively exploitable due to its public disclosure and remote accessibility. There is no indication of it being added to the CISA KEV catalog or any confirmed exploitation campaigns at this time. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and public disclosure.
Wie Loopt Risicowordt vertaald…
Organizations and individuals using XunRuiCMS versions 4.7.0 through 4.7.1 are at risk. Shared hosting environments where multiple users share the same XunRuiCMS installation are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability. Legacy configurations that haven't been regularly updated are also at increased risk.
Detectiestappenwordt vertaald…
• php / web server:
grep -r 'data[name]=[^>]*script' /var/www/html/admind45f74adbd95.php• web server:
curl -s 'http://your-xunruicms-site.com/admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1&data[name]=<script>alert("XSS")</script>' | grep 'alert("XSS")'• generic web:
Inspect web server access logs for requests to /admind45f74adbd95.php containing suspicious characters or patterns in the data[name] parameter, such as <script> or javascript:.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-14006 is to upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Unfortunately, a specific fixed version is not provided in the available data. Until a patched version is released, consider implementing temporary workarounds such as input validation and output encoding on the data[name] parameter within the /admind45f74adbd95.php endpoint. Web application firewalls (WAFs) can also be configured to block requests containing suspicious characters in the data[name] parameter. Monitor web server access logs for unusual activity or attempts to exploit the vulnerability. After applying any mitigation, verify its effectiveness by attempting to inject a simple XSS payload and confirming that it is properly neutralized.
Hoe te verhelpenwordt vertaald…
Actualice XunRuiCMS a una versión posterior a la 4.7.1 para corregir la vulnerabilidad XSS. Si no es posible actualizar, revise y filtre las entradas del usuario en el archivo /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1, especialmente el parámetro data[name], para evitar la inyección de código malicioso.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-14006 — XSS in XunRuiCMS?
CVE-2025-14006 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.7.0-4.7.1, allowing attackers to inject malicious scripts into web pages.
Am I affected by CVE-2025-14006 in XunRuiCMS?
You are affected if you are using XunRuiCMS versions 4.7.0 or 4.7.1 and have not upgraded to a patched version.
How do I fix CVE-2025-14006 in XunRuiCMS?
Upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Until a patched version is released, implement input validation and output encoding as temporary workarounds.
Is CVE-2025-14006 being actively exploited?
Due to its public disclosure, CVE-2025-14006 is considered actively exploitable and may be targeted by attackers.
Where can I find the official XunRuiCMS advisory for CVE-2025-14006?
The vendor was contacted but did not respond. Check the XunRuiCMS website or relevant security forums for updates.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.