Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Content.

Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
### Description:
Feehi CMS 2.1.1 allows authenticated user create the article but lack of santitize or filter input in the content. Leak to attacker can inject the XSS payload. It store the payload in the database.

### Impact:
If user or admin click to the article contain Stored XSS payload, attacker can steal the cookie of the victim.
### POC
**Step 1:** Create a new article

<img width="1021" height="917" alt="Image" src="https://github.com/user-attachments/assets/594803d1-3677-4268-8d86-493c01a4ced2" />

**Step 2:** Intercept the request and enter the payload in content

<img width="791" height="617" alt="Image" src="https://github.com/user-attachments/assets/0d38fe25-07a5-4d29-8dc2-0aea7a2789d7" />

**Step 3:** Send it and view the article contain Stored XSS.

<img width="1556" height="991" alt="Image" src="https://github.com/user-attachments/assets/abbcc885-b357-4ada-aaad-3f72b3b7140d" />

### Mitigare: 
1/ Use filters to filter tags or events.
2/ Implenment a whitelist in case you want to use certain tags.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Content. #80

Description:

Impact:

POC

Mitigare:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Content. #80

Description

Description:

Impact:

POC

Mitigare:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions