FeehiCMS Cross-Site Scripting Vulnerability in User Update Function

A cross-site scripting (XSS) vulnerability exists in FeehiCMS version 2.1.1. The issue arises in the User Update function, specifically through the 'id' parameter. This vulnerability allows authenticated backend users to execute malicious JavaScript by visiting a crafted URL.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript, which could disrupt the normal operation of the application or compromise the security of the user.

Reproduction

To reproduce this vulnerability, log in as a backend user and navigate to the User Update function. Append a crafted 'id' parameter that includes malicious JavaScript, such as a script tag with JavaScript code, into the URL. When the page is loaded, the JavaScript will be executed.

Remediation

Implement strict input validation to accept only valid formats for the 'id' parameter, such as numeric values or UUIDs. Additionally, apply context-aware output encoding to the 'id' value before rendering it into HTML.