Feehicms · Feehicms · CVE-2022-40002
**Name of the Vulnerable Software and Affected Versions**
FeehiCMS version 2.1.1
**Description**
The issue allows remote attackers to run arbitrary code via the `callback` parameter to the "/cms/notify" API endpoint. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft.
**Recommendations**
For FeehiCMS version 2.1.1, as a temporary workaround, consider restricting access to the "/cms/notify" API endpoint or disabling the use of the `callback` parameter until a patch is available.