07FLY Enterprise Management System S1 Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the 07FLY Enterprise Management System, including 07FLYCMS, 07FLY-CMS, and 07FlyCRM, all versions prior to 20250831. The issue resides in the /index.php file, where the 'name' parameter in GET requests is not properly sanitized. This lack of input validation allows remote attackers to inject arbitrary JavaScript, which is executed in the context of the user's browser. No authentication is required to exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a GET request to the /index.php endpoint with a payload in the 'name' parameter that includes JavaScript. The injected script will be reflected in the response and executed in the browser.

Remediation

It is recommended to sanitize and validate the 'name' parameter on the server side, rejecting inputs that contain HTML or JavaScript syntax. Additionally, implement output encoding to convert special characters into HTML entities before rendering. A strict Content Security Policy can also be applied to block unauthorized script execution.