XunRuiCMS 4.7.1 Reflected XSS via JSONP Callback Parameter

Critical Vulnerability Information Vulnerability Title: XunRuiCMS 4.7.1 XSS Vulnerability Description: - CVE ID: XunRuiCMS 4.7.1 and earlier versions are affected by a reflected Cross-Site Scripting (XSS) vulnerability, exploitable via JSONP callback parameters. - Affected Functions: - function (lines 272-276) - function (lines 296-300) - Location: /dayrui/Fcms/Init.php - Root Cause: During JSONP request processing, the application directly retrieves the 'callback' parameter from and outputs it in the HTTP response without proper input validation, output encoding, or sanitization. - Exploitation Method: Attackers can inject malicious JavaScript code by crafting a malicious URL, such as . When a victim clicks the link, the injected script executes within their session, potentially leading to session hijacking, credential theft, or other malicious activities. - Unsanitized Condition: The security issue exists in the global functions and within , which do not use —a properly implemented sanitization function already present in . Source: https://note-hxlab.wetolink.com/share/gbCf35DJ3los Submitter: yu22x (UID 34832) Submission Date: 2025-12-16 Review Date: 2025-12-27 Status: Accepted VulDB Entry: 338522 Affected Software: XunRuiCMS up to 4.7.1 Category: JSONP Callback, XSS Score: 19

Goal Reached Thanks to every supporter — we hit 100%!

XunRuiCMS 4.7.1 Reflected XSS via JSONP Callback Parameter