CVE-2022-34140
published 2022-07-28CVE-2022-34140: A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML…
PriorityP433medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
3.38%
87.3th percentile
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| feehi | cms | 0 – 2.1.1 | — |
| feehi | feehi_cms | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Feehi CMS Cross-site Scripting
ghsa·2022-07-29
CVE-2022-34140 [MEDIUM] CWE-79 Feehi CMS Cross-site Scripting
Feehi CMS Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability in `/index.php?r=site%2Fsignup` of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
OSV
Feehi CMS Cross-site Scripting
osv·2022-07-29
CVE-2022-34140 [MEDIUM] Feehi CMS Cross-site Scripting
Feehi CMS Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability in `/index.php?r=site%2Fsignup` of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
No detection rules found.
Exploit-DB
Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
exploitdb·2022-09-23·CVSS 5.4
CVE-2022-34140 [MEDIUM] Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
---
# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 22-08-2022
# Exploit Author: yuyudhn
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Docker
# CVE : CVE-2022-34140
# Proof of Concept:
1. Login using admin account at http://feehi-cms.local/admin
2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex
3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate
4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.
5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].ph
Exploit-DB
Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
exploitdb·2022-08-09·CVSS 5.4
CVE-2022-34140 [MEDIUM] Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
---
# Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
# Date: 02-08-2022
# Exploit Author: Shivam Singh
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
#Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Windows, Docker
# CVE : CVE-2022-34140
# Proof of Concept:
1-Sing-up https://localhost.cms.feehi/
2-Inject The XSS Payload in Username:
">alert(document.cookie) fill all required fields and
click the SignUp button
3-Login to Your Account, Go to any article page then XSS will trigger.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168012/Feehi-CMS-2.1.1-Cross-Site-Scripting.htmlhttp://packetstormsecurity.com/files/168476/Feehi-CMS-2.1.1-Remote-Code-Execution.htmlhttps://github.com/liufee/cmshttps://github.com/liufee/cms/issues/61http://packetstormsecurity.com/files/168012/Feehi-CMS-2.1.1-Cross-Site-Scripting.htmlhttp://packetstormsecurity.com/files/168476/Feehi-CMS-2.1.1-Remote-Code-Execution.htmlhttps://github.com/liufee/cmshttps://github.com/liufee/cms/issues/61
2022-07-28
Published