CVE-2022-40373

Vulnerability

Overview

CVE-2022-40373 describes a Cross-Site Scripting (XSS) vulnerability in FeehiCMS version 2.1.1. The root cause is insufficient sanitization of uploaded XML files, which can contain malicious payloads. When the crafted XML file is accessed or processed by the application, the injected scripts execute in the context of the victim's browser [1][2].

Exploitation

Prerequisites

An attacker must have the ability to upload an XML file to the FeehiCMS instance. The official description notes this can be carried out by a remote attacker, and the reference issue highlights that no authentication is required if the upload function is exposed, making the attack surface broad [2][3]. The attacker simply crafts an XML file containing JavaScript or other script code and then tricks an administrator or user into viewing the uploaded file or the page that renders its content.

Impact

Successful exploitation allows the attacker to execute arbitrary code within the browser session of any user who views the malicious XML file. This can lead to session hijacking, defacement, theft of sensitive data, or further attacks against the CMS backend. The NVD entry confirms the vulnerability is of type CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.1 (Medium severity), indicating a moderate impact [3].

Mitigation

As of the publication date (2022-12-15), the vendor had not released a patched version. The issue was reported on the project's GitHub repository, where users are advised to implement input validation and sanitization for XML uploads, restrict upload permissions, or apply a web application firewall rule to block malicious XML content [2]. The software is open-source, so organizations may also fork the repository and directly address the missing sanitization.