Stored XSS in Attachment File Name in thorsten/phpmyfaq


Reported on

Oct 2nd 2023


A stored cross-site scripting vulnerability exists within the file attachment upload functionality.

Replication Steps

0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the following screenshot:


0x02. The user proceeded to select a local file. Using an interception proxy, the file upload request was modified to contain an XSS payload, as seen in the following screenshot:


The filename parameter was set to the following XSS payload:

file.txt\"><svg onload=alert(document.domain)>

0x03. The request was allowed to proceed and the file upload succeeded, as seen in the following screenshot:


0x04. A separate administrative user logged in and navigated to the FAQ record where the file was uploaded; and the script executed, as seen in the following screenshot:


The DOM was inspected and the injected <svg> containing the JavaScript was located, as seen in the following screenshot:


Test Environment

Version: phpMyFAQ 4.0.0-dev

git log:

commit cfe7269b349dfba1dd6af1494b44f7963cb2b470 (tag: development-nightly-2023-10-02)
Merge: be343c9f6 67cbe1897
Author: Thorsten Rinne <>
Date:   Sun Oct 1 16:48:38 2023 +0200

    Merge branch '3.2'


This allows an attacker to execute arbitrary client side JavaScript within the context of another user's phpMyFAQ session.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne validated this vulnerability 2 months ago
Matt Zajork has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.2.2 with commit 5310cb 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Oct 31st 2023
AttachmentHelper.php#L48 has been validated
Thorsten Rinne published this vulnerability a month ago
to join this conversation