Dayrui XunRuiCMS Cross-Site Scripting Vulnerability in Data Validation Component

A cross-site scripting (XSS) vulnerability has been identified in Dayrui XunRuiCMS versions through 4.7.1. The issue resides in the Add Data Validation Page component, specifically within the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1. The vulnerability is triggered by manipulating the data[name] argument, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely and has been publicly disclosed, with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the 'Settings' menu, then go to 'Project Information' and select 'Data Validation'. Add a new validation and enter a regular expression that includes a script injection, such as an image tag with an 'onerror' event. Once the validation prompt is saved, the injected script will execute, demonstrating the cross-site scripting vulnerability.