CVE-2022-40408

Vulnerability

Description FeehiCMS v2.1.1 contains a stored cross-site scripting (XSS) vulnerability in the Comment box of the Single Page module [1][2]. The root cause is insufficient sanitization of user-supplied input, particularly within HTML image tags, allowing attackers to inject malicious scripts that persist on the server [3].

Exploitation

An attacker must first register a valid user account on the FeehiCMS site. After logging in, they navigate to Content -> Single Page, upload any image in the comment box, intercept the HTTP request, and replace the src attribute value with a crafted payload such as 'x' onerror='alert(1)' [3]. The payload is stored and executed when the page is loaded, triggering the XSS.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of any user viewing the affected page, including administrators. This can result in session hijacking, defacement, or theft of sensitive data. The vulnerability affects both the backend and frontend pages where the comment is displayed [3].

Mitigation

As of publication, no official patch has been released for FeehiCMS 2.1.1. Administrators should consider applying input validation and output encoding to user-supplied content, or restrict access to the Single Page comment functionality until a fix is available [2][3].