Reflect Cross Site Scripting when search in thorsten/phpmyfaq
Oct 20th 2022
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Proof of Concept
- Go to your web phpmyfaq and visit http://<ip>/phpmyfaq/index.php?search=
- inject payload to param search: 1af"+onclick='alert(1)'
- Click on field search, you will see the popup XSS (xss executed)
Image Poc Execute: https://drive.google.com/file/d/1VSAqG3MY7uyuXzl1OwrNa-c1g1A0iv2l/view?usp=sharing