Feehi CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Feehi CMS version 2.1.1. This vulnerability allows authenticated users to inject arbitrary web scripts or HTML into the Page Sign parameter, which is then executed when the page is viewed. The injected payload is stored in the database, potentially leading to cookie theft from users who visit the affected page.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript into the website, which can be executed in the context of the user viewing the page. This could be used to steal cookies from the victim, potentially leading to session hijacking.

Reproduction

To reproduce this vulnerability, an authenticated user can create a new page and inject a script or HTML payload into the Page Sign parameter. Once the page is saved, the injected payload will be executed when the page is viewed.

Remediation

It is recommended to implement input sanitization and filtering to remove or neutralize potentially harmful tags and scripts before storing user input in the database.