CVE-2020-36607

Root

Cause

FeehiCMS 2.0.8 includes a Cross-Site Scripting (XSS) vulnerability that allows attackers to inject arbitrary JavaScript code through the lang attribute of an HTML tag. The vulnerability arises because user-supplied language parameters are not properly sanitized before being reflected in the application's response [1].

Attack

Vector

An attacker can exploit this flaw by crafting a URL with a malicious lang parameter, such as english">. When a victim visits this URL in either the frontend or backend interface, the injected script is executed in their browser [2]. Authentication is not required for exploitation, as the frontend endpoint is publicly accessible. The issue affects both the frontend and admin panels, broadening the attack surface.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, defacement of the website, or other malicious actions that the browser permits for the application's origin. The vulnerability is classified as moderate severity due to the potential for account compromise and data exposure.

Mitigation

As of the advisory, the issue has been reported to the vendor via the GitHub issue tracker [2]. No official patch or workaround has been released. Users are advised to update FeehiCMS once a fix is available or implement input validation and output encoding on the lang parameter to mitigate the risk.