CVE-2022-40000

Vulnerability

Analysis

FeehiCMS version 2.1.1 is affected by Cross-Site Scripting (XSS) vulnerability in the username field of the admin login page. The application fails to properly sanitize or escape user-supplied input before reflecting it in the backend interface, allowing an attacker to inject arbitrary JavaScript code. This is a classic stored XSS issue because the injected payload is persisted and executed when an administrator views the affected page [1][3].

Exploitation

An attacker who can submit a crafted username during the login process can inject malicious scripts into the admin panel. The attack requires no special privileges beyond access to the login form. If an administrator subsequently views the logs or any page that displays the malicious username (e.g., user management sections), the injected script executes in the context of the administrator's session. The vulnerability can be triggered without authentication, as the login page is publicly accessible [2][3].

Impact

Successful exploitation enables arbitrary JavaScript execution in the browser of an authenticated administrator. This can lead to session hijacking, credential theft, defacement, or further compromise of the CMS backend. Since the attacker can perform actions as the logged-in administrator, the entire application and its data may be at risk [1][3].

Mitigation

As of the publication date (December 15, 2022), a fix for CVE-2022-40000 was not confirmed in the official repository; the issue tracker remains open. Administrators should apply input validation and output encoding to all user-controlled fields, especially the username input. It is also recommended to use web application firewall (WAF) rules or Content Security Policy (CSP) headers to reduce the risk of exploitation [2][3].