Store DOM XSS in Edit configuration in thorsten/phpmyfaq
Aug 28th 2023
Description I noticed, your website is very secure.
But you overlooked a flaw XSS
Proof of Concept
1 .Login vs admin demo account and access admin page.
2 .Create a category titled "test456".
3 .Go to Configuration ==> Edit configuration.
4 .Change the "URL of your FAQ" data field with the payload:
5 . Back to the homepage, see the site structure has been completely changed. Click "test456" detect XSS.
This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...