CVE-2025-63522 Overview
CVE-2025-63522 is a Reverse Tabnabbing vulnerability identified in FeehiCMS version 2.1.1, specifically within the Comments Management function. This medium-severity flaw allows attackers to exploit improper UI rendering to manipulate user interactions, potentially leading to phishing attacks or credential theft through a malicious redirect when users click on attacker-controlled links.
Reverse Tabnabbing is a type of User Interface Confusion attack where a malicious page opened via target="_blank" can redirect the original parent page to a phishing site using the window.opener property. When exploited in FeehiCMS's Comments Management feature, this could allow attackers to trick administrators into submitting credentials or sensitive information to attacker-controlled servers.
Critical Impact
Attackers can leverage the Comments Management function to inject links that, when clicked by administrators, redirect the original FeehiCMS admin panel to a malicious phishing page, potentially compromising administrative credentials and CMS integrity.
Affected Products
- FeehiCMS 2.1.1
- feehi feehicms (all installations running version 2.1.1)
- Comments Management module in affected FeehiCMS versions
Discovery Timeline
- 2025-12-01 - CVE-2025-63522 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-63522
Vulnerability Analysis
This vulnerability is classified under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), which relates to insufficient controls over how UI elements are rendered and interact with external resources. The CVSS 3.1 score of 4.6 (Medium severity) reflects the network-based attack vector with low privileges required and user interaction dependency.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates:
- Attack Vector (AV:N): Exploitable remotely over the network
- Attack Complexity (AC:L): Low complexity to execute
- Privileges Required (PR:L): Low-level privileges needed (authenticated user)
- User Interaction (UI:R): Requires victim to click the malicious link
- Confidentiality/Integrity Impact: Low impact on both, with no availability impact
The Exploit Prediction Scoring System (EPSS) assigns this vulnerability a probability score of 0.025% with a percentile ranking of 6.12%, indicating a relatively low likelihood of exploitation in the wild compared to other vulnerabilities.
Root Cause
The root cause lies in improper handling of external links within the Comments Management function of FeehiCMS 2.1.1. When comments containing links are rendered, the application fails to include the rel="noopener noreferrer" attribute on anchor tags that use target="_blank". This oversight allows the newly opened page to access the window.opener object of the parent window, enabling malicious redirects.
The vulnerability exists because the CMS does not properly sanitize or secure user-generated content containing hyperlinks within the comments system. When an administrator reviews or interacts with comments containing malicious links, the attacker's page gains control over the parent window's navigation.
Attack Vector
The attack unfolds through the following mechanism:
- An attacker submits a comment containing a specially crafted external link through the FeehiCMS comment submission functionality
- The malicious link is stored and rendered in the Comments Management administrative interface
- When an administrator clicks the link, it opens in a new tab while retaining a reference to the admin panel via window.opener
- The attacker's malicious page executes JavaScript to redirect the original admin panel tab to a convincing phishing page
- The administrator, believing they are still on the legitimate FeehiCMS interface, may enter credentials or perform sensitive actions on the attacker-controlled page
This technique is particularly effective because users often trust pages they opened themselves and may not notice the URL change in the original tab while focused on the newly opened page.
Detection Methods for CVE-2025-63522
Indicators of Compromise
- Suspicious external links in comment submissions pointing to unfamiliar or newly registered domains
- Administrator session anomalies following comment review activities
- Unexpected page redirects in browser history from the CMS admin panel
- User reports of being redirected to login pages unexpectedly while managing comments
- Browser console errors related to window.opener access from external origins
Detection Strategies
Security teams should implement monitoring for outbound link patterns within the Comments Management interface. Web Application Firewalls (WAFs) can be configured to flag or block comments containing suspicious external URLs or known phishing domains.
Review server logs for patterns indicating administrators accessing the Comments Management function followed by immediate credential submission attempts. Implement Content Security Policy (CSP) headers to restrict the ability of opened pages to interact with the parent window.
Browser-based security extensions that block window.opener access can provide an additional layer of protection for administrators reviewing user-generated content.
Monitoring Recommendations
Deploy endpoint detection and response (EDR) solutions to monitor browser processes for suspicious window.opener manipulation attempts. SentinelOne's behavioral AI engine can detect anomalous browser navigation patterns that may indicate Reverse Tabnabbing exploitation.
Configure logging to capture all external link interactions from the administrative interface. Implement alerting for any comment submissions containing links to domains registered within the past 30 days, as these are commonly used in phishing campaigns.
Regularly audit the Comments Management function for any signs of stored malicious content and implement real-time scanning of submitted comments for known malicious indicators.
How to Mitigate CVE-2025-63522
Immediate Actions Required
- Audit all existing comments in FeehiCMS for suspicious external links and remove any potentially malicious content
- Implement browser-level protections by using security-focused browsers or extensions that automatically add rel="noopener" to external links
- Train administrators to verify the URL in their original browser tab after clicking any external links in user comments
- Consider temporarily disabling the comment functionality or restricting comment link rendering until a patch is available
Patch Information
As of the latest NVD update on 2025-12-02, administrators should monitor the vendor advisory at https://github.com/liufee/cms/issues/76 for official patch releases. The issue has been documented with the vendor through their GitHub repository.
Organizations running FeehiCMS 2.1.1 should subscribe to the project's GitHub notifications to receive immediate alerts when patches become available. Review the technical advisory at https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63522.md for additional technical details.
Workarounds
Until an official patch is released, administrators can implement manual mitigations by modifying the comment rendering templates to include proper rel attributes on all external links.
The recommended approach involves locating the comment display template files in the FeehiCMS installation and ensuring all anchor tags with target="_blank" include rel="noopener noreferrer". This prevents the opened page from accessing the window.opener property.
Additionally, implement a Content Security Policy header that restricts frame ancestors and navigation targets. Configure your web server or reverse proxy to add headers that limit cross-origin interactions from external pages.
For Apache web servers, add the following to your .htaccess or virtual host configuration:
# Add security headers to mitigate Reverse Tabnabbing
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Content-Security-Policy "frame-ancestors 'self'"
For Nginx configurations:
# Add security headers to mitigate Reverse Tabnabbing
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
These headers help isolate the browsing context and prevent external pages from manipulating the parent window through window.opener.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
