Primary

Context

Xunruicms Cross-Site Scripting Vulnerability Allowing Privilege Escalation

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Xunruicms versions through 4.6.3. This vulnerability allows remote attackers to escalate privileges by uploading a crafted SVG file that exploits the whitelisted file extension. The issue arises from inadequate validation of uploaded files, enabling the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files containing XSS payloads are executed within the application.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a cross-site scripting payload through the Xunruicms backend content settings, specifically in the website settings section. The uploaded file will be executed, triggering the stored XSS vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

6.5

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

6.5

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xunruicms Cross-Site Scripting Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Reproduction

Affected Products

Xunruicms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating