Packagist (Composer) package
feehi/feehicms
pkg:composer/feehi/feehicms
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-63523 | — | — | — | Dec 1, 2025 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username chan | ||
| CVE-2025-63522 | — | <= 2.1.1 | — | Dec 1, 2025 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | ||
| CVE-2025-63520 | — | — | — | Dec 1, 2025 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | ||
| CVE-2022-40373 | — | <= 2.1.1 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file. | ||
| CVE-2022-40002 | — | <= 2.1.1 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbirtary code via the callback parameter to /cms/notify. | ||
| CVE-2022-40001 | — | <= 2.1.1 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the title field of the create article page. | ||
| CVE-2022-40000 | — | <= 2.1.1 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the username field of the admin log in page. | ||
| CVE-2021-36573 | — | <= 2.1.1 | — | Dec 15, 2022 | File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted image upload. | ||
| CVE-2021-36572 | — | <= 2.1.1 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via the user name field of the login page. | ||
| CVE-2020-36607 | — | <= 2.0.8 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | ||
| CVE-2020-20589 | — | <= 2.0.8 | — | Dec 15, 2022 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag. | ||
| CVE-2022-4014 | — | <= 2.0.1.1 | — | Nov 16, 2022 | A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier o | ||
| CVE-2022-40408 | — | <= 2.0.1.1 | — | Sep 29, 2022 | FeehiCMS v2.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module. | ||
| CVE-2020-19709 | — | <= 0.1.3 | — | Aug 26, 2021 | Insufficient filtering of the tag parameters in feehicms 0.1.3 allows attackers to execute arbitrary web or HTML via a crafted payload. |
- CVE-2025-63523Dec 1, 2025
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username chan
- CVE-2025-63522Dec 1, 2025affected <= 2.1.1
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
- CVE-2025-63520Dec 1, 2025
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).
- CVE-2022-40373Dec 15, 2022affected <= 2.1.1
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file.
- CVE-2022-40002Dec 15, 2022affected <= 2.1.1
Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbirtary code via the callback parameter to /cms/notify.
- CVE-2022-40001Dec 15, 2022affected <= 2.1.1
Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the title field of the create article page.
- CVE-2022-40000Dec 15, 2022affected <= 2.1.1
Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the username field of the admin log in page.
- CVE-2021-36573Dec 15, 2022affected <= 2.1.1
File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted image upload.
- CVE-2021-36572Dec 15, 2022affected <= 2.1.1
Cross Site Scripting (XSS) vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via the user name field of the login page.
- CVE-2020-36607Dec 15, 2022affected <= 2.0.8
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
- CVE-2020-20589Dec 15, 2022affected <= 2.0.8
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
- CVE-2022-4014Nov 16, 2022affected <= 2.0.1.1
A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier o
- CVE-2022-40408Sep 29, 2022affected <= 2.0.1.1
FeehiCMS v2.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module.
- CVE-2020-19709Aug 26, 2021affected <= 0.1.3
Insufficient filtering of the tag parameters in feehicms 0.1.3 allows attackers to execute arbitrary web or HTML via a crafted payload.