Feehi CMS 2.1.1 -  Stored Cross-Site Scripting (Stored XSS) in Role

Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
### Description:

Feehi CMS 2.1.1 allows admin user create the new role but lack of santitize or filter input in the role name. Leak to attacker can inject the XSS payload. It store the payload in the database.
### Impact:

If the admin view the the log, the malicious JS will execute and it can leak to steal others admin's cookie.

### POC:
Step 1: Create new role.

Step 2: Enter the XSS payload in the role field and save it.
 
<img width="1486" height="903" alt="Image" src="https://github.com/user-attachments/assets/6c0b9766-523d-4e85-b6b0-5b679b73dee6" />

Step 3: When admin create a new role, the malicious role contain XSS payload will appear and execute.

<img width="1700" height="871" alt="Image" src="https://github.com/user-attachments/assets/64cc1c44-e854-411c-96c4-967ceb3f7d2d" />

<img width="1610" height="883" alt="Image" src="https://github.com/user-attachments/assets/883e421b-2eef-4a07-a7ee-e497c66949ea" />

### Mitigare:
1/ Use filters to filter tags or events.
2/ Encode the special characters like <, >, (, ), etc.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Role #83

Description:

Impact:

POC:

Mitigare:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Role #83

Description

Description:

Impact:

POC:

Mitigare:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions