Miggo Logo
Miggo Vulnerability Database
CVE-2022-40001

CVE-2022-40001: FeehiCMS Cross Site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-40001
GHSA ID
GHSA-gqgq-784q-v9xp
EPSS Score
0.14034%
CWE
CWE-79
Published
12/15/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
feehi/feehicmscomposer<= 2.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of the title field during web page generation (CWE-79). XSS occurs when untrusted input (title) is rendered without adequate escaping. The ArticleController's actionCreate method is implicated because it handles the input, and the view template (_form.php or similar) is responsible for output. Without patch details, confidence is medium, as these components are typical XSS vectors in MVC frameworks when input/output sanitization is missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* (XSS) vuln*r**ility in ****i*MS-*.*.* *llows r*mot* *tt**k*rs to run *r*itr*ry *o** vi* t** titl* *i*l* o* t** *r**t* *rti*l* p***.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* t** titl* *i*l* *urin* w** p*** **n*r*tion (*W*-**). XSS o**urs w**n untrust** input (titl*) is r*n**r** wit*out ***qu*t* *s**pin*. T** `*rti*l**ontroll*r`'s `**tion*r**t*` m*t*o* is impli**t**