Stored XSS in FAQ comments in thorsten/phpmyfaq

Valid

Reported on

Dec 18th 2022

Description

Stored XSS in FAQ comments by any visitor or anonymous user that alerted in admin panel in comments page also it stored in the FAQ page itself via injecting XSS payload in "Name " and "Message" input fields .

Proof of Concept

https://drive.google.com/file/d/1XZexc1DkZjnzAXQwWfjyrZ_vUyTLcKgW/view?usp=sharing

Impact

Users and admin accounts takeover

Occurrences

record.comments.php L76

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

A thorsten/phpmyfaq maintainer has acknowledged this report a year ago

Thorsten Rinne gave praise a year ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability a year ago

Mohamed Abdelhady has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.10 with commit 53099a a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 31st 2023

record.comments.php#L76 has been validated

Thorsten Rinne published this vulnerability a year ago

to join this conversation