Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Permission

Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

### Description:

Feehi CMS 2.1.1 allows authenticated users with RBAC/Permission creation privileges to inject malicious scripts via the Group, Category, and Description fields due to a lack of input sanitization. While these fields are the entry points, the vulnerability manifests as a Stored XSS at critical endpoints such as the "Create Admin User" page.

### Impact:
If the superadmin create new admin user, the malicious JS file may execute, it can lead to steal admin's cookie.

### POC:
**Step 1:** Create a new permissions and inject the XSS payload in Group, Category or Description Fields.

<img width="1175" height="894" alt="Image" src="https://github.com/user-attachments/assets/1d099450-a12b-482b-b3bf-f48d3bd1b447" />

**Step 2:**  Create new admin user and see the payload is executed.

<img width="1288" height="922" alt="Image" src="https://github.com/user-attachments/assets/41f1e88a-288f-4548-8a98-00eccdcd5067" />

<img width="1911" height="934" alt="Image" src="https://github.com/user-attachments/assets/0913867d-f004-4450-bc42-3f4e180da967" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Permission #85

Description:

Impact:

POC:

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Feehi CMS 2.1.1 - Stored Cross-Site Scripting (Stored XSS) in Permission #85

Description

Description:

Impact:

POC:

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions