FeehiCMS version 2.1.1 - Improper output encoding in username parameter of Admin Log function lead to Cross Site Scripting (XSS).

[kiwi865]

[Cross Site Scripting (XSS) in username parameter of Admin Log function]

Severity Score: Medium

CCVSS Score: 7.6 High, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Description

FeehiCMS version 2.1.1 - Improper output encoding in username parameter of Admin Log function. An authenticated backend user creates or updates the username of any user with malicious JavaScript. The backend system will create a log and store in the admin log function. Then, navigate to the admin log function, view the details of the newly created log, and the JavaScript will be triggered.

Impact

Malicious JavaScript can be executed which will impact the confidentiality and integrity of the backend users, backend configuration and records.

POC

Login as a backend user. Navigate to the link below, update the username of any user with to "><svg/onload=prompt(document.domain)>
http://localhost:8081/admin/index.php?r=user%2Fupdate&UserSearch%5Busername%5D=&UserSearch%5Bemail%5D=&UserSearch%5Bstatus%5D=&UserSearch%5Bcreated_at%5D=&UserSearch%5Bupdated_at%5D=&id=4

Then, navigate to the admin log and look for the newly created log.
http://localhost:8081/admin/index.php?r=log%2Fview-layer&id=912

The script was executed.

Remediation

1. Strict Input Validation - Accept only valid formats for username.
2. Context-Aware Output Encoding - Encode the username value before rendering into HTML.