CVE-2022-40002

Vulnerability

Overview

CVE-2022-40002 describes a Cross-Site Scripting (XSS) vulnerability in FeehiCMS version 2.1.1. The flaw resides in the /cms/notify endpoint, where the callback parameter is not properly sanitized before being reflected in the response. This allows an attacker to inject arbitrary JavaScript code, which will be executed in the context of the victim's browser [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the callback parameter. No authentication is required to trigger the XSS, as the /cms/notify endpoint is publicly accessible. The attack can be delivered via social engineering (e.g., tricking a user into clicking the crafted link) or by embedding the URL in a third-party site. The injected script executes when the victim visits the manipulated page [2][3].

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, defacing the page, or redirecting the user to a malicious site. Since the XSS is reflected, the attacker can also potentially escalate privileges if the victim is an administrator, leading to full compromise of the CMS instance [2][3].

Mitigation

As of the publication date (2022-12-15), no official patch has been released by the vendor. Users are advised to apply input validation on the callback parameter or disable the /cms/notify endpoint if not needed. The issue is tracked in the project's GitHub repository [1][2].