dayrui XunRuiCMS Add Data Validation admind45f74adbd95.php cross site scripting
traduzindo…Plataforma
php
Componente
vul
Corrigido em
4.7.1
4.7.2
CVE-2025-14006 describes a cross-site scripting (XSS) vulnerability discovered in XunRuiCMS versions 4.7.0 through 4.7.1. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The affected component is the Add Data Validation Page, specifically the /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 endpoint. While the CVSS score is LOW, the public disclosure and remote exploitability warrant immediate attention.
Impacto e Cenários de Ataquetraduzindo…
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted data[name] parameter. When a user visits this URL, the injected script will execute in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact can range from minor annoyance to significant data compromise, depending on the attacker's goals and the user's privileges. Given the remote accessibility of the vulnerability, it presents a broad attack surface. The public disclosure increases the likelihood of exploitation by both automated scanners and targeted attackers.
Contexto de Exploraçãotraduzindo…
This vulnerability was publicly disclosed on 2025-12-04. The description indicates that the vendor was contacted but did not respond. The vulnerability is considered to be actively exploitable due to its public disclosure and remote accessibility. There is no indication of it being added to the CISA KEV catalog or any confirmed exploitation campaigns at this time. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and public disclosure.
Quem Está em Riscotraduzindo…
Organizations and individuals using XunRuiCMS versions 4.7.0 through 4.7.1 are at risk. Shared hosting environments where multiple users share the same XunRuiCMS installation are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability. Legacy configurations that haven't been regularly updated are also at increased risk.
Passos de Detecçãotraduzindo…
• php / web server:
grep -r 'data[name]=[^>]*script' /var/www/html/admind45f74adbd95.php• web server:
curl -s 'http://your-xunruicms-site.com/admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1&data[name]=<script>alert("XSS")</script>' | grep 'alert("XSS")'• generic web:
Inspect web server access logs for requests to /admind45f74adbd95.php containing suspicious characters or patterns in the data[name] parameter, such as <script> or javascript:.
Linha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2025-14006 is to upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Unfortunately, a specific fixed version is not provided in the available data. Until a patched version is released, consider implementing temporary workarounds such as input validation and output encoding on the data[name] parameter within the /admind45f74adbd95.php endpoint. Web application firewalls (WAFs) can also be configured to block requests containing suspicious characters in the data[name] parameter. Monitor web server access logs for unusual activity or attempts to exploit the vulnerability. After applying any mitigation, verify its effectiveness by attempting to inject a simple XSS payload and confirming that it is properly neutralized.
Como corrigirtraduzindo…
Actualice XunRuiCMS a una versión posterior a la 4.7.1 para corregir la vulnerabilidad XSS. Si no es posible actualizar, revise y filtre las entradas del usuario en el archivo /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1, especialmente el parámetro data[name], para evitar la inyección de código malicioso.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-14006 — XSS in XunRuiCMS?
CVE-2025-14006 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.7.0-4.7.1, allowing attackers to inject malicious scripts into web pages.
Am I affected by CVE-2025-14006 in XunRuiCMS?
You are affected if you are using XunRuiCMS versions 4.7.0 or 4.7.1 and have not upgraded to a patched version.
How do I fix CVE-2025-14006 in XunRuiCMS?
Upgrade XunRuiCMS to a version that includes a fix for this vulnerability. Until a patched version is released, implement input validation and output encoding as temporary workarounds.
Is CVE-2025-14006 being actively exploited?
Due to its public disclosure, CVE-2025-14006 is considered actively exploitable and may be targeted by attackers.
Where can I find the official XunRuiCMS advisory for CVE-2025-14006?
The vendor was contacted but did not respond. Check the XunRuiCMS website or relevant security forums for updates.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.