XSS in Comment Faq news username parameter in thorsten/phpmyfaq
Feb 12th 2023
Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to impact users even after the initial injection has taken place.
Proof of Concept
1. Go to faq news who activate comment 2. Insert xss payload in email form 3. Send Comment 4.XSS will trigger in https://roy.demo.phpmyfaq.de/admin/?action=comments
Stored XSS through hyperlinks can have significant impacts on both the application and its users. For example, the attacker can steal the victim's login credentials, manipulate the information displayed on a page, and even launch phishing attacks to trick the victim into disclosing sensitive information.