Feehi CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Feehi CMS version 2.1.1. This vulnerability allows authenticated users to inject arbitrary web scripts or HTML into the Content field of articles. The injected payload is not properly sanitized, leading to execution of the script when the article is viewed. This could enable an attacker to steal cookies from the victim's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the article.

Reproduction

To reproduce this vulnerability, an authenticated user can create a new article and inject a script payload into the Content field. After saving the article, the injected script will be executed when the article is viewed.

Remediation

It is recommended to implement input filters to sanitize content before it is stored, and to establish a whitelist of allowed tags if certain HTML elements need to be preserved.