CVE-2025-10711

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in 07FLYCMS, 07FLY-CMS, and 07FlyCRM up to version 20250831. The flaw resides in the file /index.php/sysmanage/Login and is due to insufficient sanitization of the Name parameter in GET requests [1]. When a crafted payload is supplied to this parameter, the server reflects it back into the response without proper encoding, enabling script execution in the victim's browser.

Exploitation does not require authentication, as the login page is publicly accessible [1]. An attacker can inject a malicious JavaScript payload, for example by appending ;%3Cimg%20src%3Dxyz%20onerror%3Dalert(1)%3E to the URL. The attack is performed remotely, and the crafted link can be delivered via email, social media, or other channels to lure victims [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session on the affected ERP system. This can lead to theft of sensitive session tokens, impersonation of authenticated users, or redirection to phishing pages [1].

The vendor was contacted but did not respond, and no official patch has been released [CVE description]. As a workaround, input validation and output encoding should be implemented for the Name parameter. However, given the lack of vendor response, users are advised to consider alternative solutions or deploy web application firewall (WAF) rules to mitigate the risk.