Store DOM XSS in Edit configuration in thorsten/phpmyfaq

Valid

Reported on

Aug 28th 2023

Description I noticed, your website is very secure.

But you overlooked a flaw XSS

Proof of Concept

1 .Login vs admin demo account and access admin page.

2 .Create a category titled "test456".

3 .Go to Configuration ==> Edit configuration.

4 .Change the "URL of your FAQ" data field with the payload:

     javascript:alert(1)"

5 . Back to the homepage, see the site structure has been completely changed. Click "test456" detect XSS.

Video Poc

https://drive.google.com/file/d/1FxFSglKYeqSBp_dvSaDji3syj4Re32PO/view?usp=sharing

Img Poc

https://drive.google.com/file/d/1jfBIhXEpyKive2O3W58uDjmJB63kD6l3/view?usp=sharing

Impact

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago
HaiNguyen modified the report
3 months ago
HaiNguyen modified the report
3 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 3 months ago
Thorsten Rinne validated this vulnerability 3 months ago
HaiNguyen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.18 with commit e92369 3 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 30th 2023
HaiNguyen
3 months ago

Researcher

Great, thank you so much

Thorsten Rinne published this vulnerability 2 months ago
to join this conversation