XSS in hyperlink when create FAQ News in thorsten/phpmyfaq

Valid

Reported on

Feb 12th 2023


Description

Stored Cross-Site Scripting (XSS) through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the malicious script is executed in the user's browser, allowing the attacker to steal sensitive information, modify the appearance of the website, deliver malware, and perform other malicious actions.

Proof of Concept

1.Go to https://roy.demo.phpmyfaq.de/admin/?action=edit-news&id=4
2.Fill link form or title of the link form and post the faq news
3.Xss will trigger in main domain

https://drive.google.com/file/d/1mOAG06iMtCtxsoDm6g4r4taXCuVsvETT/view?usp=share_link

Impact

attacker with custom user rights can steal cooke

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
isdkrisna
a year ago

Researcher


payload xss in point 2

isdkrisna modified the report
a year ago
thorsten/phpmyfaq maintainer has acknowledged this report a year ago
Thorsten Rinne gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
isdkrisna
a year ago

Researcher


Sounds good, I'm here looking for a CVE. Usually, vulnerabilities in old versions are documented with a CVE. If possible, I would request that CVE assign. But if it's not allowed, I will close this report. BTW, Thank you for your cooperation on some of my reports.

Thorsten Rinne
a year ago

Maintainer


I don't know if that's possible, maybe we can get some help from the @admin

isdkrisna
a year ago

Researcher


is the demo version is 3.1.11? i was able to bypass xss and stored html injection

payload: javascript:alert('1') "><h1>test</h1>

Video >>

isdkrisna
a year ago

Researcher


https://drive.google.com/file/d/1Kejf7YtLo2tKGZHcvNbvx_-K1NMZ5Adz/view?usp=share_link

isdkrisna
a year ago

Researcher


yups, i tried in local with 3.1.11 can bypass using javascript:alert('1')

Thorsten Rinne validated this vulnerability a year ago
isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit 5061e5 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation