CVE-2025-10710

Vulnerability

Overview

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in 07FLYCMS, 07FLY-CMS, and 07FlyCRM versions up to 20250831. The flaw resides in the /index.php endpoint, where the name GET parameter is insufficiently sanitized before being reflected in the server's response. This allows an attacker to inject arbitrary JavaScript payloads that execute in the victim's browser context [1].

Exploitation

Details

The attack is remotely exploitable without any authentication or prior access. An attacker crafts a malicious URL containing a payload in the name parameter (e.g., ;%3Cimg%20src%3Dxyz%20OnErRor%3Dalert(9801)%3E) and tricks a user into clicking it. The payload is reflected immediately, triggering execution in the user's browser. No special network position is required; the attack can be carried out over the internet [1].

Impact

Successful exploitation enables an attacker to perform actions on behalf of the victim, steal session cookies, or conduct phishing attacks by injecting fake login forms. Since the product is used as an enterprise management system, this could lead to unauthorized access to sensitive business data or account takeover [1].

Mitigation

Status

The vendor was contacted but did not respond, and no official patch has been released. Users are advised to implement input validation and output encoding for the name parameter, or deploy a Web Application Firewall (WAF) to block malicious payloads. Given that the product is published under multiple names and may be end-of-life, migration to a supported alternative should be considered [1].