XunRuiCMS XSS

There is a cross-site scripting vulnerability in the background login  （CVE-2024-24388）

 

一、

dayrui\Fcms\Control\Admin\Login.php

As can be seen from the code, only the trim() function in the login part of the input username to remove the simple processing of the first and last Spaces

 

 

dayrui\Fcms\Library\Security.php

Security filtering provided with XunRuiCMS indicates that only some special characters can be escaped

 

二、Causes of vulnerabilities

 

The user name authentication filtering is not strict, and the built-in security filtering mechanism only escapes some special characters. This allows an attacker to construct special code to exploit the vulnerability

 

三、payload

 

<iframe src=javascript:alert(/xss/)>

 

四、Vulnerability verification

 

Self-built environment: Version 4.6.2