XSS in Comment Faq news username parameter in thorsten/phpmyfaq
Reported on
Feb 12th 2023
Description
Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to impact users even after the initial injection has taken place.
Proof of Concept
1. Go to faq news who activate comment
2. Insert xss payload in email form
3. Send Comment
4.XSS will trigger in https://roy.demo.phpmyfaq.de/admin/?action=comments
SS https://drive.google.com/file/d/1JxW2jKI-6ljGn0VpfkpUDUoLx0N8eNgh/view?usp=share_link
Impact
Stored XSS through hyperlinks can have significant impacts on both the application and its users. For example, the attacker can steal the victim's login credentials, manipulate the information displayed on a page, and even launch phishing attacks to trick the victim into disclosing sensitive information.
wrong form sorry, i mean username form
Screenshot
https://drive.google.com/file/d/1yeURfLb5cfXqEdxOBoaAiMepqPKBzJ05/view?usp=share_link
Looks like I fixed that already in 3.1.11. The demo page is still on the buggy 3.1.10 version.
Sounds good, I'm here looking for a CVE. Usually, vulnerabilities in old versions are documented with a CVE. If possible, I would request that CVE assign. But if it's not allowed, I will close this report. BTW, Thank you for your cooperation on some of my reports.
im still can reproduce this issue on demo 3.1.11... try to add admin"><h1>aaa</h1> in username form... i can do xss too