CVE-2022-43320

Vulnerability

FeehiCMS v2.1.1, a Yii2-based content management system, suffers from a reflected cross-site scripting (XSS) vulnerability in the admin log view-layer functionality. The flaw resides in the /web/admin/index.php?r=log%2Fview-layer endpoint, where the id parameter is not properly sanitized before being rendered in the response.[1][2]

Exploitation

An attacker can exploit this by crafting a malicious URL containing a payload in the id parameter. For instance, appending %3Csvg%20onload=alert(20221014)%3E (URL-encoded ``) causes the stored XSS payload to execute when an authenticated administrator views a log entry. The page automatically loads and triggers the injected script without requiring any user interaction beyond visiting the crafted link.[3]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, credential theft, defacement, or other malicious actions under the admin's privileges. The attack requires no prior authentication, as the vulnerability is triggered when an admin user accesses the malicious link.

Mitigation

As of the advisory date, the vendor had not released a patch for this vulnerability. Users are advised to apply input validation and output encoding for the id parameter or, if possible, restrict access to the affected endpoint to trusted administrators. No workaround is documented in the vendor's repository or issue tracker.[2][3]