CVE-2022-40001

Vulnerability

Description

FeehiCMS 2.1.1 suffers from a stored Cross-Site Scripting (XSS) vulnerability in the title field of the create article page [1][2]. The application fails to properly sanitize or escape user input in the title parameter, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored and later executed when the article is viewed [2].

Exploitation

Prerequisites

An attacker must be an authenticated user with permission to create articles in the FeehiCMS backend [2]. The exploit is triggered when any user (including administrators) accesses the article list or edit page, causing the injected script to execute in the victim's browser within the context of the admin panel [2].

Impact

Successful exploitation enables arbitrary JavaScript execution, which can be used to steal session cookies, perform actions on behalf of the victim, deface the admin interface, or pivot to further attacks against the CMS and its data [2][3].

Mitigation

Status

As of the advisory date, no official patch has been released for this vulnerability [1]. Administrators are advised to upgrade to the latest version of FeehiCMS if available, or manually implement input validation and output encoding for the article title field to prevent XSS attacks [1][2].