How the CVE Works:
CVE-2025-3397 is a reflected Cross-Site Scripting (XSS) vulnerability in YzmCMS 7.1, specifically in the `message.tpl` file. The flaw arises due to improper sanitization of the `gourl` parameter, which allows attackers to inject arbitrary JavaScript code. When a victim visits a crafted URL containing a malicious payload in the `gourl` parameter, the script executes in their browser context. This enables session hijacking, defacement, or phishing attacks. The vulnerability is remotely exploitable with no authentication required (PR:N). The CVSS 4.0 score of 5.3 (MEDIUM) reflects its moderate impact due to limited scope (UI:P) and low integrity impact (VI:L).
DailyCVE Form:
Platform: YzmCMS
Version: 7.1
Vulnerability: XSS
Severity: Medium
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
http://target.com/message.tpl?gourl=javascript:alert(document.cookie)
2. Social-engineer victims to click the link.
Detection:
1. Scan for vulnerable endpoints:
curl -s "http://target.com/message.tpl?gourl=test" | grep "unsafe"
Mitigation:
1. Patch: Sanitize `gourl` input:
$gourl = htmlspecialchars($_GET['gourl'], ENT_QUOTES, 'UTF-8');
2. Deploy WAF rules to block XSS patterns:
location ~ .tpl$ {
deny all;
}
3. Use CSP headers:
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
Analysis Tools:
- Test payloads with Burp Suite or OWASP ZAP.
2. Verify fixes:
nmap -p 80 --script http-xss-spider target.com
References:
- VulDB Entry: CVE-2025-3397
- NVD: NIST Link
Impact Metrics:
- Attack Vector: Network (AV:N)
- User Interaction: Required (UI:P)
- Exploitability: High (AC:L, AT:N)
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-3397
Extra Source Hub:
Undercode
