CVE-2022-34140

Vulnerability

Description

A stored cross-site scripting (XSS) vulnerability exists in Feehi CMS v2.1.1, specifically in the /index.php?r=site%2Fsignup endpoint. The application fails to properly sanitize the username input during user registration, allowing attackers to inject arbitrary web scripts or HTML. This injection is stored on the server and executed when the malicious username is rendered in other parts of the application, such as article pages [1].

Exploitation

To exploit the vulnerability, an attacker navigates to the signup page and enters a crafted payload in the username field, such as ">. After completing the registration, the payload is stored. Subsequently, when any user (including administrators) views an article or other content that displays the username, the injected script executes in the context of the victim's browser [3]. No authentication is required for the initial injection, but the attacker must complete the registration process.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can be leveraged to steal session cookies, perform actions on behalf of the victim (e.g., posting comments or modifying content), or launch phishing attacks. The stored nature of the XSS amplifies its reach, as every user visiting the affected page becomes a potential target [3].

Mitigation

As of the publication date, no official patch has been released for this vulnerability. The vendor may have addressed it in later versions, but users of Feehi CMS v2.1.1 are advised to apply input validation and output encoding to prevent XSS, or to upgrade to a newer version if available [1][3].