sunkaifei FlyCMS CVE-2025-15093
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing a manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in sunkaifei FlyCMS Admin Login component allows remote attackers to inject malicious scripts via the redirectUrl parameter in IndexAdminController.java. The vulnerability requires user interaction (UI:P) and results in limited integrity impact (VI:L), with a very low CVSS score of 2.1 despite public exploit availability. Active exploitation risk is minimal given the low EPSS score (0.02%, 6th percentile) and requirement for social engineering the admin user.
Technical ContextAI
The vulnerability exists in the Admin Login authentication flow of FlyCMS, a Java-based content management system. The IndexAdminController.java component fails to properly sanitize or validate the redirectUrl parameter before reflecting it in the HTTP response, enabling reflected XSS attacks. This falls under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector is network-accessible but requires user interaction, indicating the attacker must trick an authenticated admin into clicking a malicious link containing the crafted redirectUrl payload.
RemediationAI
No official vendor-released patch is available due to the vendor's non-response to early disclosure. Primary remediation requires upgrading to the latest commit beyond abbaa5a8daefb146ad4d61027035026b052cb414 from the GitHub repository (https://github.com/sunkaifei/FlyCms/), though patched version confirmation is unavailable. As immediate compensating controls: implement a Content Security Policy (CSP) header with frame-ancestors 'self' and script-src 'self' to prevent inline script execution; apply input validation to reject redirectUrl parameters containing javascript: or data: URI schemes; deploy a web application firewall (WAF) rule to block requests with encoded or obfuscated XSS payloads in redirectUrl; and restrict admin login access to trusted IP ranges. Educate administrators to avoid clicking redirect links from untrusted sources. These controls mitigate exploitation while awaiting upstream fixes, though CSP implementation may affect legitimate redirect functionality depending on deployment architecture.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today