Feehi Feehicms vulnerabilities
24 known vulnerabilities affecting feehi/feehicms.
Total CVEs
24
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH1MEDIUM16
Vulnerabilities
Page 1 of 2
CVE-2024-8294P2CRITICALCVSS 9.8≤ 2.1.1v2.1.0+1 more2024-08-29
CVE-2024-8294 [CRITICAL] CWE-434 CVE-2024-8294: A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects t
A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public a
nvd
CVE-2024-8295P2CRITICALCVSS 9.8≤ 2.1.1v2.1.0+1 more2024-08-29
CVE-2024-8295 [CRITICAL] CWE-434 CVE-2024-8295: A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerabilit
A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img] leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the publi
nvd
CVE-2024-8296P2CRITICALCVSS 9.8≤ 2.1.1v2.1.0+1 more2024-08-29
CVE-2024-8296 [CRITICAL] CWE-434 CVE-2024-8296: A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the
A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The ve
nvd
CVE-2020-21322P3CRITICALCVSS 9.8≤ 2.0.82021-09-15
CVE-2020-21322 [CRITICAL] CWE-434 CVE-2020-21322: An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arb
An arbitrary file upload vulnerability in Feehi CMS v2.0.8 and below allows attackers to execute arbitrary code via a crafted PHP file.
nvd
CVE-2020-21516P3CRITICALCVSS 9.8v2.0.82022-09-06
CVE-2020-21516 [CRITICAL] CWE-434 CVE-2020-21516: There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that all
There is an arbitrary file upload vulnerability in FeehiCMS 2.0.8 at the head image upload, that allows attackers to execute relevant PHP code.
nvd
CVE-2020-21174P3CRITICALCVSS 9.8v2.0.7.12023-06-20
CVE-2020-21174 [CRITICAL] CWE-434 CVE-2020-21174: File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code
File Upload vulenrability in liufee CMS v.2.0.7.1 allows a remote attacker to execute arbitrary code via the image suffix function.
nvd
CVE-2020-21489P3CRITICALCVSS 9.8v2.0.82023-06-20
CVE-2020-21489 [CRITICAL] CWE-434 CVE-2020-21489: File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via
File Upload vulnerability in Feehicms v.2.0.8 allows a remote attacker to execute arbitrary code via the /admin/index.php?r=admin-user%2Fupdate-self component.
nvd
CVE-2025-15264P3HIGHCVSS 7.3≤ 2.1.1v2.1.0+1 more2025-12-30
CVE-2025-15264 [HIGH] CWE-918 CVE-2025-15264: A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file
A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was cont
nvd
CVE-2025-65657P3MEDIUMCVSS 6.5v2.1.12025-12-02
CVE-2025-65657 [MEDIUM] CWE-77 CVE-2025-65657: FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. Fe
FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can
nvd
CVE-2025-63523P3MEDIUMCVSS 6.5v2.1.12025-12-01
CVE-2025-63523 [MEDIUM] CWE-125 CVE-2025-63523: FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented t
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
nvd
CVE-2021-36573P4MEDIUMCVSS 5.4≤ 2.1.12022-12-15
CVE-2021-36573 [MEDIUM] CWE-79 CVE-2021-36573: File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted
File Upload vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via crafted image upload.
ghsanvdosv
CVE-2020-19709P4MEDIUMCVSS 6.1v0.1.32021-08-26
CVE-2020-19709 [MEDIUM] CWE-79 CVE-2020-19709: Insufficient filtering of the tag parameters in feehicms 0.1.3 allows attackers to execute arbitrary
Insufficient filtering of the tag parameters in feehicms 0.1.3 allows attackers to execute arbitrary web or HTML via a crafted payload.
ghsanvdosv
CVE-2025-63520P4MEDIUMCVSS 6.1v2.1.12025-12-01
CVE-2025-63520 [MEDIUM] CWE-79 CVE-2025-63520: Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update f
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate).
nvd
CVE-2022-40373P4MEDIUMCVSS 5.4v2.1.12022-12-15
CVE-2022-40373 [MEDIUM] CWE-79 CVE-2022-40373: Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file.
ghsanvdosv
CVE-2020-36607P4MEDIUMCVSS 6.1v2.0.82022-12-15
CVE-2020-36607 [MEDIUM] CWE-79 CVE-2020-36607: Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
ghsanvdosv
CVE-2020-20589P4MEDIUMCVSS 6.1v2.0.82022-12-15
CVE-2020-20589 [MEDIUM] CWE-79 CVE-2020-20589: Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary
Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.0.8 allows remote attackers to run arbitrary code via tha lang attribute of an html tag.
ghsanvdosv
CVE-2025-63522P4MEDIUMCVSS 4.6v2.1.12025-12-01
CVE-2025-63522 [MEDIUM] CWE-1021 CVE-2025-63522: Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
ghsanvdosv
CVE-2021-36572P4MEDIUMCVSS 6.1≤ 2.1.12022-12-15
CVE-2021-36572 [MEDIUM] CWE-79 CVE-2021-36572: Cross Site Scripting (XSS) vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary c
Cross Site Scripting (XSS) vulnerability in Feehi CMS thru 2.1.1 allows attackers to run arbitrary code via the user name field of the login page.
ghsanvdosv
CVE-2022-43320P4MEDIUMCVSS 6.1v2.1.12022-11-09
CVE-2022-43320 [MEDIUM] CWE-79 CVE-2022-43320: FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via t
FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer.
nvd
CVE-2022-40001P4MEDIUMCVSS 5.4v2.1.12022-12-15
CVE-2022-40001 [MEDIUM] CWE-79 CVE-2022-40001: Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary
Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the title field of the create article page.
ghsanvdosv
1 / 2Next →