Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63522

CVE-2025-63522: Feehi FeehiCMS Tabnabbing Vulnerability

CVE-2025-63522 is a reverse tabnabbing vulnerability in Feehi FeehiCMS 2.1.1 affecting the Comments Management function. Attackers can exploit this to redirect users to malicious sites. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-63522 Overview

CVE-2025-63522 is a Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1, affecting the Comments Management function. The flaw maps to [CWE-1021] (Improper Restriction of Rendered UI Layers or Frames) and stems from links that open in a new tab without applying rel="noopener noreferrer" protections. An attacker who submits a crafted comment can cause the parent tab to be navigated to an attacker-controlled URL when a victim clicks the link. This enables convincing phishing scenarios because the redirected page appears to originate from the trusted FeehiCMS site.

Critical Impact

Authenticated attackers can leverage comment links to redirect victim browser tabs to phishing pages, compromising confidentiality and integrity of user sessions.

Affected Products

  • FeehiCMS 2.1.1
  • Comments Management function
  • Deployments using the affected feehi:feehicms package (cpe:2.3:a:feehi:feehicms:2.1.1)

Discovery Timeline

  • 2025-12-01 - CVE-2025-63522 published to NVD
  • 2025-12-02 - Last updated in NVD database

Technical Details for CVE-2025-63522

Vulnerability Analysis

The vulnerability resides in the Comments Management function of FeehiCMS 2.1.1. User-supplied hyperlinks render as anchor tags that open in new browser tabs without restrictive link relation attributes. Modern browsers expose the window.opener reference to the destination page when target="_blank" is used without rel="noopener". Attackers exploit this reference to navigate the originating tab to a controlled URL using window.opener.location. The attack requires user interaction because a victim must click the malicious link.

The exploitation pattern is well documented in OWASP guidance on reverse tabnabbing. Attackers typically craft phishing pages that mimic the FeehiCMS login screen, harvesting credentials when victims return to what appears to be the original tab. The scope remains unchanged because the attack operates within the user's browser session.

Root Cause

The root cause is missing output encoding controls on rendered comment hyperlinks. The Comments Management function does not enforce rel="noopener noreferrer" or rel="noreferrer" attributes on user-supplied links that use target="_blank". Without these attributes, the destination page retains a live reference to the opener window object.

Attack Vector

An authenticated attacker with comment submission privileges posts a comment containing a hyperlink that points to a malicious site. When a victim views the comment and clicks the link, a new tab loads the attacker page while the original FeehiCMS tab remains in the background. The attacker page executes JavaScript that calls window.opener.location = 'https://attacker-phish.example/login', replacing the trusted tab with a phishing replica. Refer to the GitHub CVE-2025-63522 Details and the GitHub CMS Issue Discussion for proof-of-concept context.

Detection Methods for CVE-2025-63522

Indicators of Compromise

  • Comment entries containing external hyperlinks pointing to domains unrelated to site content
  • Web server access logs showing comment submissions followed by referrer traffic to unknown domains
  • User reports of unexpected redirects after clicking comment links on FeehiCMS pages

Detection Strategies

  • Audit rendered comment HTML for anchor tags using target="_blank" without rel="noopener" or rel="noreferrer"
  • Implement Content Security Policy (CSP) reporting to identify outbound navigations triggered from comment content
  • Review comment moderation queues for links to recently registered or low-reputation domains

Monitoring Recommendations

  • Enable web application firewall logging on comment submission endpoints to capture URL payloads
  • Monitor authentication endpoints for credential stuffing patterns that may follow successful phishing redirection
  • Correlate user session anomalies, such as repeated logins from new geographies, with prior comment link engagement

How to Mitigate CVE-2025-63522

Immediate Actions Required

  • Restrict comment submission to trusted authenticated users until a patched release is deployed
  • Enable comment moderation so administrators review all hyperlinks before publication
  • Communicate phishing awareness guidance to users who interact with FeehiCMS comment content

Patch Information

No vendor patch has been published in the NVD record at the time of writing. Track the upstream issue tracker at the GitHub CMS Issue Discussion for remediation updates from the FeehiCMS maintainers.

Workarounds

  • Apply a template-level filter that injects rel="noopener noreferrer" into every anchor tag rendered from user comments
  • Strip or rewrite target="_blank" attributes from user-supplied HTML before rendering
  • Deploy a Content Security Policy that constrains navigation targets and blocks unexpected outbound redirects
bash
# Example reverse proxy header to enforce referrer and opener isolation
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Referrer-Policy "no-referrer" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne