Login Sign Up

CVE-2025-15144

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in XunRuiCMS that allows attackers to inject malicious scripts via the JSONP callback parameter. The vulnerability affects XunRuiCMS versions up to 4.7.1 and can be exploited remotely without authentication. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.

💻 Affected Systems

Products:
  • dayrui XunRuiCMS
Versions: up to and including 4.7.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using the vulnerable JSONP callback handler are affected. The vulnerability is in core framework code.

📦 What is this software?

Xunruicms by Xunruicms

View all CVEs affecting Xunruicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to the CMS, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Attackers would steal user session cookies to hijack accounts, redirect users to malicious sites, or perform limited actions based on the victim's permissions.

🟢

If Mitigated

With proper input validation and output encoding, the attack would be prevented, though the vulnerable code path would still exist.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details are available in the references. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. The vendor did not respond to disclosure. Consider upgrading if a newer version becomes available or implement workarounds.

🔧 Temporary Workarounds

Input Validation for JSONP Callback

all

Add validation to ensure the callback parameter contains only alphanumeric characters and underscores

Modify /dayrui/Fcms/Init.php to validate the callback parameter before processing

Content Security Policy Header

all

Implement CSP headers to restrict script execution sources

Add 'Content-Security-Policy: script-src 'self'' to HTTP responses

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules
  • Disable JSONP functionality if not required for the application

🔍 How to Verify

Check if Vulnerable:

Check if XunRuiCMS version is 4.7.1 or earlier. Test by attempting to inject script payloads in the JSONP callback parameter.

Check Version:

Check the CMS version in the admin panel or look for version information in source files

Verify Fix Applied:

Verify that script injection attempts in the JSONP callback parameter are properly sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual callback parameter values in JSONP requests
  • Script tags or JavaScript code in callback parameters

Network Indicators:

  • HTTP requests with suspicious callback parameter values containing script tags or JavaScript

SIEM Query:

web_requests callback:*script* OR callback:*javascript*

📊 Metadata

CVE ID: CVE-2025-15144
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.1th percentile)
Published: December 28, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15144, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)