CVE-2021-36572

Vulnerability

Overview

CVE-2021-36572 describes a Cross-Site Scripting (XSS) vulnerability in Feehi CMS through version 2.1.1. The issue resides in the login page, where the username field is not properly sanitized before being reflected in the server's response [2]. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser.

Exploitation

An attacker can exploit this vulnerability by submitting a crafted payload in the username field of the login form. No authentication is required, as the login page is publicly accessible. The injected script is executed when the page renders the input, making it a classic reflected XSS attack [3]. The attack can be delivered via social engineering or by tricking a user into visiting a maliciously crafted URL.

Impact

Successful exploitation enables arbitrary code execution in the victim's browser. This can lead to session hijacking, defacement of the application, or theft of sensitive information such as cookies and credentials. The impact is limited to the client side, but it can compromise user accounts and the integrity of the application.

Mitigation

As of the publication date, no official patch has been released for this vulnerability. Users of Feehi CMS 2.1.1 or earlier are advised to apply input validation and output encoding on the username field, or upgrade to a patched version if available. The issue was reported via the project's GitHub issue tracker [3].