Miggo Logo
Miggo Vulnerability Database
CVE-2021-36572

CVE-2021-36572: FeehiCMS Cross Site Scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-36572
GHSA ID
GHSA-m54v-gv8p-9pqp
EPSS Score
0.23838%
CWE
CWE-79
Published
12/15/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
feehi/feehicmscomposer<= 2.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the username field reflection during login attempts. While exact code isn't available, XSS patterns suggest: 1) The controller handling login requests passes user input to the view without sanitization 2) The view template fails to properly escape the username value when rendering the HTML form. This matches the described attack vector where user-controlled input enters the page output without neutralization (CWE-79). Confidence is medium due to reliance on common MVC patterns rather than observed code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in ****i *MS t*ru *.*.* *llows *tt**k*rs to run *r*itr*ry *o** vi* t** us*r n*m* *i*l* o* t** lo*in p***.

Reasoning

T** vuln*r**ility m*ni**sts in t** us*rn*m* *i*l* r**l**tion *urin* lo*in *tt*mpts. W*il* *x**t *o** isn't *v*il**l*, XSS p*tt*rns su***st: *) T** *ontroll*r **n*lin* lo*in r*qu*sts p*ss*s us*r input to t** vi*w wit*out s*nitiz*tion *) T** vi*w t*mpl