Platform
php
Component
vul
Opgelost in
4.7.1
4.7.2
CVE-2025-14006 describes a cross-site scripting (XSS) vulnerability discovered in XunRuiCMS versions 4.7.0 through 4.7.1. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The affected component is the Add Data Validation Page, specifically the /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 endpoint. While the CVSS score is LOW, the public disclosure and remote exploitability warrant immediate attention.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted data[name] parameter. When a user visits this URL, the injected script will execute in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact can range from minor annoyance to significant data compromise, depending on the attacker's goals and the user's privileges. Given the remote accessibility of the vulnerability, it presents a broad attack surface. The public disclosure increases the likelihood of exploitation by both automated scanners and targeted attackers.
This vulnerability was publicly disclosed on 2025-12-04. The description indicates that the vendor was contacted but did not respond. The vulnerability is considered to be actively exploitable due to its public disclosure and remote accessibility. There is no indication of it being added to the CISA KEV catalog or any confirmed exploitation campaigns at this time. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and public disclosure.
Organizations and individuals using XunRuiCMS versions 4.7.0 through 4.7.1 are at risk. Shared hosting environments where multiple users share the same XunRuiCMS installation are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability. Legacy configurations that haven't been regularly updated are also at increased risk.
• php / web server:
grep -r 'data[name]=[^>]*script' /var/www/html/admind45f74adbd95.php• web server:
curl -s 'http://your-xunruicms-site.com/admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1&data[name]=<script>alert("XSS")</script>' | grep 'alert("XSS")'• generic web:
Inspect web server access logs for requests to /admind45f74adbd95.php containing suspicious characters or patterns in the data[name] parameter, such as <script> or javascript:.
disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-14006 is to upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Unfortunately, a specific fixed version is not provided in the available data. Until a patched version is released, consider implementing temporary workarounds such as input validation and output encoding on the data[name] parameter within the /admind45f74adbd95.php endpoint. Web application firewalls (WAFs) can also be configured to block requests containing suspicious characters in the data[name] parameter. Monitor web server access logs for unusual activity or attempts to exploit the vulnerability. After applying any mitigation, verify its effectiveness by attempting to inject a simple XSS payload and confirming that it is properly neutralized.
Actualice XunRuiCMS a una versión posterior a la 4.7.1 para corregir la vulnerabilidad XSS. Si no es posible actualizar, revise y filtre las entradas del usuario en el archivo /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1, especialmente el parámetro data[name], para evitar la inyección de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14006 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.7.0-4.7.1, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using XunRuiCMS versions 4.7.0 or 4.7.1 and have not upgraded to a patched version.
Upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Until a patched version is released, implement input validation and output encoding as temporary workarounds.
Due to its public disclosure, CVE-2025-14006 is considered actively exploitable and may be targeted by attackers.
The vendor was contacted but did not respond. Check the XunRuiCMS website or relevant security forums for updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.