stored XSS Protection bypass by changing the User Profile Name in thorsten/phpmyfaq

Valid

Reported on

Mar 10th 2023

Hello,

I was able to bypass the XSS Vulnerability i reported before by using this Payload.

Lets try first a normal XSS Payload which will not work

for example -> <script>alert('1')</script> -> NOT WOKRING :)

lets try the bypass payload

1'"><img/src/onerror=.1|alertAHMED-Vienna>

XSS Payload fired and its stored -> let me show you

stored XSS :)

-> it is a stored XSS.

Lets see.

Thank you for watching :)

Impact

Hello,

I was able to bypass the XSS Vulnerability i reported before by using this Payload.

Lets try first a normal XSS Payload which will not work

for example -> <script>alert('1')</script> -> NOT WOKRING :)

lets try the bypass payload

1'"><img/src/onerror=.1|alertAHMED-Vienna>

XSS Payload fired and its stored -> let me show you

stored XSS :)

-> it is a stored XSS.

Lets see.

Thank you for watching :)

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 21 days ago
thorsten/phpmyfaq maintainer has acknowledged this report 21 days ago
Thorsten Rinne validated this vulnerability 21 days ago
ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit dcf7dd 21 days ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 18 hours ago
ahmedvienna
10 hours ago

Researcher

Hello,

Did you publish the CVE for this Vulnerability? Cause i can not recognize the CVE assignet to it.

Thank you very much.

to join this conversation