Miggo Logo
Miggo Vulnerability Database
CVE-2022-40000

CVE-2022-40000: FeehiCMS Cross Site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-40000
GHSA ID
GHSA-8vjp-hfgh-68rj
EPSS Score
0.14034%
CWE
CWE-79
Published
12/15/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
feehi/feehicmscomposer<= 2.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS occurs via username reflection in the admin login page. This typically happens when: 1) The controller passes user-supplied username to the view without sanitization after failed login, and 2) The view template directly outputs the username without context-aware escaping. While exact code isn't available, this pattern matches the described vulnerability and PHP CMS conventions. Confidence is medium due to reliance on common vulnerability patterns rather than direct code observation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in ****i*MS-*.*.* *llows r*mot* *tt**k*rs to run *r*itr*ry *o** vi* t** us*rn*m* *i*l* o* t** **min lo* in p***.

Reasoning

T** XSS o**urs vi* us*rn*m* r**l**tion in t** **min lo*in p***. T*is typi**lly **pp*ns w**n: *) T** *ontroll*r p*ss*s us*r-suppli** us*rn*m* to t** vi*w wit*out s*nitiz*tion **t*r **il** lo*in, *n* *) T** vi*w t*mpl*t* *ir**tly outputs t** us*rn*m* w