Stored XSS edit Config Link in thorsten/phpmyfaq

Valid

Reported on

Feb 12th 2023


Description

Stored Cross-Site Scripting (XSS) through hyperlinks refers to a type of security vulnerability that occurs when an attacker injects malicious code into a hyperlink, which is then stored in the application's database or web server. When a user clicks on the infected hyperlink, the malicious script is executed in the user's browser, allowing the attacker to steal sensitive information, modify the appearance of the website, deliver malware, and perform other malicious actions.

Proof of Concept

1.Go to https://roy.demo.phpmyfaq.de/admin/?action=config&config_action=saveConfig
2.Edit URL for Privacy note  form with javascript:alert(1)"> <script>alert('1337')</script>
3.Go to https://roy.demo.phpmyfaq.de/?action=request-removal

https://drive.google.com/file/d/1HsdF1ZFn9JlD7irRDiVu78Tnx40lm-Io/view?usp=share_link

#Mitigation To prevent stored XSS through hyperlinks, it is important for website and web application owners to implement proper input validation and sanitization to prevent malicious code from being stored in the application's database or web server. Additionally, it is important for users to be cautious when clicking on unknown or suspicious hyperlinks and to only click on links from trusted sources.

Impact

Stored XSS through hyperlinks can have significant impacts on both the application and its users. For example, the attacker can steal the victim's login credentials, manipulate the information displayed on a page, and even launch phishing attacks to trick the victim into disclosing sensitive information.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
thorsten/phpmyfaq maintainer has acknowledged this report a year ago
Thorsten Rinne validated this vulnerability a year ago
isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit 49db61 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation