Dayrui XunRuiCMS Cross-Site Scripting Vulnerability in Add Display Name Field Component

A cross-site scripting (XSS) vulnerability has been identified in Dayrui XunRuiCMS versions through 4.7.1. The issue arises in the Add Display Name Field component, specifically within the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0. The vulnerability is triggered by manipulating the data[name] argument, allowing for the injection of malicious scripts. This issue can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the XunRuiCMS admin panel and go to Settings > Project Information > Basic Settings. Once there, add a new Display Name field. The vulnerability can be triggered by inserting a script payload into the Field Name input, which is then processed without proper sanitization, leading to script execution.