Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Title.

Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
### Description:

Feehi CMS 2.1.1 allows authenticated user create the article but lack of santitize or filter input in the title field. Leak to attacker can inject the XSS payload. It store the payload in the database.
### Impact:

If user or admin click to the article contain Stored XSS payload, attacker can steal the cookie of the victim.

### POC:
Step 1: Create new article.
Step 2: In the title field enter XSS payload.

<img width="979" height="813" alt="Image" src="https://github.com/user-attachments/assets/b2ec812a-68bf-45fb-91e1-b581937a22a1" />

Step 3: Save article and view that the payload is stored.

<img width="1746" height="629" alt="Image" src="https://github.com/user-attachments/assets/2f4623c0-c4e1-4806-a4b1-6b3d6bbc2aa0" />

### Mitigare:

1/ Use filters to filter tags or events.
2/ Implenment a whitelist in case you want to use certain tags.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Title. #81

Description:

Impact:

POC:

Mitigare:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Article Title. #81

Description

Description:

Impact:

POC:

Mitigare:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions