CVE-2025-63520

Vulnerability

Overview

FeehiCMS version 2.1.1, a Yii2-based content management system, contains a Cross-Site Scripting (XSS) vulnerability in the vulnerability in the User Update function. The flaw exists in the id parameter of the endpoint ?r=user%2Fupdate. The application fails to properly sanitize or validate the id parameter before rendering it in the response, allowing an attacker to inject arbitrary HTML and JavaScript [1][2][4].

Exploitation

An attacker must first authenticate as a backend user. The attack is performed by crafting a URL where the id parameter contains a malicious payload, such as id=2%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E. When a backend user visits this crafted URL, the injected script executes in the context of the victim's session. The attack requires user interaction (clicking the link) and a low-privilege authenticated session [2][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the victim backend user. This can lead to theft of session cookies, defacement of the admin interface, or exfiltration of sensitive data. The CVSS v3.1 score is 7.6 (High) with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating high confidentiality impact and low integrity impact [3][4].

Mitigation

As of the publication date, no official patch has been released by the vendor. The recommended remediation includes strict input validation (accepting only numeric or UUID formats for the id parameter) and context-aware output encoding before rendering the value into HTML. Users should monitor the official repository for updates or apply these mitigations manually [1][4].