Security readout for executives and security teams
Plain-English summary
FUEL CMS v1.4.6 is reported to have cross-site scripting in page metadata fields. If an attacker can place malicious content in page title, meta description, or meta keywords, script may run in another user’s browser. Public data supplied here does not include a CVSS score, confirmed fix, or evidence of active exploitation.
Executive priority
Prioritize assessment if FUEL CMS is internet-facing or supports multiple content editors. Urgency is lower than known-exploited vulnerabilities, but CMS XSS can still enable account abuse and reputational damage.
Technical view
The CVE describes XSS in the FUEL CMS pages function affecting title, meta description, and meta keywords handling. The supplied records name FUEL CMS v1.4.6 but provide no CPE, CWE, CVSS vector, exploit status, or patched version. Browser-side code execution is supported; server-side arbitrary code execution is not established by the supplied evidence.
Likely exposure
Organizations running FUEL CMS v1.4.6, especially where untrusted or lower-privileged users can edit page metadata, are the likely exposure group.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The GitHub issue is the only technical public reference supplied.
Researcher notes
Evidence is thin: the CVE record identifies vulnerable fields and version, but lacks severity scoring, affected CPEs, fixed version, and exploitation confirmation. Avoid treating the phrase arbitrary code as server compromise without additional evidence.
Mitigation direction
- Identify any FUEL CMS v1.4.6 deployments.
- Check Daylight Studio FUEL CMS guidance for fixed releases or recommended workarounds.
- Restrict page-editing access to trusted administrators only.
- Review output encoding and sanitization for page metadata fields.
- Consider compensating controls for CMS admin access until vendor guidance is confirmed.
Validation and detection
- Inventory CMS versions and confirm whether v1.4.6 is present.
- Review who can edit page title and metadata fields.
- Test in a safe environment for improper script rendering in metadata fields.
- Check logs for suspicious page metadata changes.
- Verify any vendor update or workaround in staging before production rollout.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-22152 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://github.com/daylightstudio/FUEL-CMS/issues/552CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
