XSS in Comment Faq news username parameter in thorsten/phpmyfaq

Valid

Reported on

Feb 12th 2023


Description

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to impact users even after the initial injection has taken place.

Proof of Concept

1. Go to faq news who activate comment
2. Insert xss payload in email form 
3. Send Comment 
4.XSS will trigger in https://roy.demo.phpmyfaq.de/admin/?action=comments

SS https://drive.google.com/file/d/1JxW2jKI-6ljGn0VpfkpUDUoLx0N8eNgh/view?usp=share_link

Impact

Stored XSS through hyperlinks can have significant impacts on both the application and its users. For example, the attacker can steal the victim's login credentials, manipulate the information displayed on a page, and even launch phishing attacks to trick the victim into disclosing sensitive information.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne gave praise 7 months ago
gotcha!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
isdkrisna
7 months ago

Researcher


wrong form sorry, i mean username form

Screenshot

https://drive.google.com/file/d/1yeURfLb5cfXqEdxOBoaAiMepqPKBzJ05/view?usp=share_link

Thorsten Rinne
7 months ago

Maintainer


Looks like I fixed that already in 3.1.11. The demo page is still on the buggy 3.1.10 version.

isdkrisna modified the report
7 months ago
isdkrisna
7 months ago

Researcher


Sounds good, I'm here looking for a CVE. Usually, vulnerabilities in old versions are documented with a CVE. If possible, I would request that CVE assign. But if it's not allowed, I will close this report. BTW, Thank you for your cooperation on some of my reports.

isdkrisna
7 months ago

Researcher


im still can reproduce this issue on demo 3.1.11... try to add admin"><h1>aaa</h1> in username form... i can do xss too

Thorsten Rinne validated this vulnerability 7 months ago
isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne gave praise 7 months ago
gotcha!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne marked this as fixed in 3.1.12 with commit f3380f 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 6 months ago
to join this conversation