XunRuiCMS XSS
There is a cross-site scripting vulnerability in the background login (CVE-2024-24388)
一、
dayrui\Fcms\Control\Admin\Login.php
As can be seen from the code, only the trim() function in the login part of the input username to remove the simple processing of the first and last Spaces
dayrui\Fcms\Library\Security.php
Security filtering provided with XunRuiCMS indicates that only some special characters can be escaped
二、Causes of vulnerabilities
The user name authentication filtering is not strict, and the built-in security filtering mechanism only escapes some special characters. This allows an attacker to construct special code to exploit the vulnerability
三、payload
<iframe src=javascript:alert(/xss/)>
四、Vulnerability verification
Self-built environment: Version 4.6.2