CVE-2020-19709

Vulnerability

FeehiCMS version 0.1.3 [1] contains a cross-site scripting (XSS) vulnerability in the search/tag route. The tag parameter is not properly filtered before being rendered in the response, allowing an attacker to inject arbitrary HTML or JavaScript. The issue is documented in the project's issue tracker [3].

Exploitation

An attacker can craft a GET request to http:///index.php?r=search%2Ftag&tag= [3]. No authentication is required. The payload executes in the browser of any user who visits the crafted URL, either directly or via a social engineering lure.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, credential theft, or defacement of the page. The attack is limited to the browser context and does not directly compromise the server.

Mitigation

As of the publication date (2021-08-26), no official patch has been released for this vulnerability [2]. Users should consider upgrading to a later version if available, or implement server-side input sanitization for the tag parameter. The project may be unmaintained; alternative CMS solutions should be evaluated.