CVE-2022-34140 in Feehi
Summary
by MITRE • 07/28/2022
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2022-34140 represents a critical stored cross-site scripting flaw within Feehi CMS version 2.1.1, specifically affecting the user registration endpoint at /index.php?r=site%2Fsignup. This vulnerability stems from inadequate input validation and output sanitization mechanisms within the application's username parameter handling. The flaw allows malicious actors to inject persistent malicious scripts that execute whenever other users view the compromised username, creating a persistent threat vector that can affect multiple users over time.
The technical exploitation of this vulnerability occurs through the manipulation of the username field during the signup process, where the application fails to properly sanitize user-supplied input before storing and rendering it in subsequent web pages. This stored XSS condition enables attackers to craft malicious payloads that can include javascript code, iframe embeddings, or other HTML elements that execute in the context of authenticated users' browsers. The vulnerability is classified under CWE-79 as a failure to sanitize user input, specifically manifesting as a stored cross-site scripting vulnerability that allows attackers to inject malicious code into the application's database.
The operational impact of this vulnerability extends beyond simple script execution, as it can facilitate more sophisticated attack vectors including session hijacking, credential theft, and data exfiltration. Attackers can leverage this vulnerability to steal session cookies, redirect users to malicious domains, or inject phishing content that appears legitimate to users. The persistent nature of stored XSS makes this vulnerability particularly dangerous as the malicious code remains active until manually removed from the database, potentially affecting all users who encounter the compromised username in the application's interface.
Security professionals should implement comprehensive input validation and output encoding mechanisms to address this vulnerability, ensuring that all user-supplied data is properly sanitized before being stored or rendered in web contexts. The remediation strategy should include implementing proper HTML escaping for all dynamic content, employing Content Security Policy headers to limit script execution, and conducting regular security testing including automated scanning and manual penetration testing to identify similar vulnerabilities in other application components. This vulnerability aligns with ATT&CK technique T1531 which involves modifying or hijacking application execution flows, and represents a critical weakness that requires immediate attention to prevent potential compromise of user sessions and sensitive data within the CMS environment.