CVE-2020-20589

The vulnerability is a stored Cross-Site Scripting (XSS) issue in FeehiCMS version 2.0.8, identified by CVE-2020-20589. The flaw occurs when the lang attribute of an HTML tag is manipulated, enabling attackers to inject arbitrary JavaScript code. This is evident from the Lang parameter in site/language endpoints, which is not properly sanitized [3].

Remote attackers can exploit this vulnerability by crafting a URL with a malicious lang parameter, such as english">. The injected script executes when a user views any post, affecting both frontend and backend interfaces [3]. No authentication is required for exploitation, making it easily accessible to any visitor [2].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising user data and site integrity [1][2].

As of the latest advisory, no official patch has been released for this vulnerability. The vendor's repository and issue tracker document the flaw but do not indicate a fix [1][3]. Users are advised to implement input validation or upgrade if a patched version becomes available.