Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Page Sign

Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
### Description:

Feehi CMS 2.1.1 allows authenticated user create the page but lack of santitize or filter input in the Page Sign. Leak to attacker can inject the XSS payload. It store the payload in the database.
### Impact:

Attacker can inject the malicious Javascript into the website and can steal the cookie of victim.

### POC:
Step 1: Create a new page.

<img width="1184" height="698" alt="Image" src="https://github.com/user-attachments/assets/315a9188-e24a-4d1b-ac67-6a7c81366c12" />
Step 2: Enter the XSS payload into the Page Sign and save it.

<img width="1725" height="888" alt="Image" src="https://github.com/user-attachments/assets/380ea7ee-cd41-49ba-b32e-eac33424baab" />

Step 3: View the Page and see the payload is stored.

<img width="1223" height="929" alt="Image" src="https://github.com/user-attachments/assets/45f59eb5-028b-4092-b07b-b927aa39eca0" />

<img width="1713" height="568" alt="Image" src="https://github.com/user-attachments/assets/a865e023-751f-4f85-b2c3-78c9783b9b9e" />

### Mitigare:

1/ Use filters to filter tags or events.
2/ Implenment a whitelist in case you want to use certain tags.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Page Sign #82

Description:

Impact:

POC:

Mitigare:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Page Sign #82

Description

Description:

Impact:

POC:

Mitigare:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions