CVE-2020-36607 is a Cross Site Scripting (XSS) vulnerability identified in FeehiCMS version 2.0.8. The vulnerability arises from improper sanitization or validation of the 'lang' attribute within HTML tags processed by the CMS. An attacker can exploit this flaw by injecting malicious scripts into the 'lang' attribute, which are then executed in the context of the victim's browser when viewing affected pages. This type of vulnerability falls under CWE-79, indicating that it is a classic reflected or stored XSS issue. The CVSS 3.1 base score is 6.1, categorizing it as a medium severity vulnerability. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network without any privileges and requires user interaction (e.g., clicking a crafted link). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component, potentially impacting the confidentiality and integrity of data. The vulnerability does not affect availability. No known exploits are reported in the wild, and no official patches or vendor advisories are currently available. The vulnerability is specific to FeehiCMS, an open-source content management system primarily used for website management and content publishing. The lack of detailed vendor or product information limits the granularity of the analysis, but the vulnerability's nature suggests that any web application relying on FeehiCMS 2.0.8 or similar versions is at risk of XSS attacks that could lead to session hijacking, credential theft, or unauthorized actions performed on behalf of authenticated users.

For European organizations using FeehiCMS 2.0.8, this vulnerability poses a risk primarily to the confidentiality and integrity of web-based interactions. Successful exploitation could allow attackers to execute arbitrary JavaScript in users' browsers, potentially leading to theft of session cookies, redirection to malicious sites, or manipulation of displayed content. This can undermine user trust, lead to data leakage, and facilitate further attacks such as phishing or privilege escalation. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be significant. Organizations operating public-facing websites or intranet portals with FeehiCMS are particularly vulnerable. The requirement for user interaction means that social engineering or phishing campaigns could be used to lure victims into triggering the exploit. Given the medium severity and absence of known exploits, the immediate risk is moderate but could escalate if exploit code becomes publicly available.

1. Immediate mitigation should focus on input validation and output encoding: ensure that all user-supplied data, especially the 'lang' attribute in HTML tags, is properly sanitized and encoded before rendering. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Monitor web traffic and logs for unusual activity or attempts to inject scripts via the 'lang' attribute or other vectors. 4. Educate users and administrators about the risks of clicking on suspicious links that could trigger XSS payloads. 5. If possible, upgrade FeehiCMS to a version where this vulnerability is fixed or apply community patches if available. 6. Use web application firewalls (WAFs) with rules specifically designed to detect and block XSS attempts targeting the 'lang' attribute or similar injection points. 7. Conduct regular security assessments and penetration testing focusing on XSS vulnerabilities in web applications. 8. Isolate critical systems and restrict administrative access to reduce the potential impact of compromised sessions.