stored XSS Protection bypass by changing the User Profile Name in thorsten/phpmyfaq

Valid

Reported on

Mar 10th 2023

Hello,

I was able to bypass the XSS Vulnerability i reported before by using this Payload.

Lets try first a normal XSS Payload which will not work

for example -> <script>alert('1')</script> -> NOT WOKRING :)

lets try the bypass payload

1'"><img/src/onerror=.1|alertAHMED-Vienna>

XSS Payload fired and its stored -> let me show you

stored XSS :)

-> it is a stored XSS.

Lets see.

Thank you for watching :)

Impact

Hello,

I was able to bypass the XSS Vulnerability i reported before by using this Payload.

Lets try first a normal XSS Payload which will not work

for example -> <script>alert('1')</script> -> NOT WOKRING :)

lets try the bypass payload

1'"><img/src/onerror=.1|alertAHMED-Vienna>

XSS Payload fired and its stored -> let me show you

stored XSS :)

-> it is a stored XSS.

Lets see.

Thank you for watching :)

References

stored XSS Protection bypass by changing the User Profile Name - Video Proof of Concept

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago

Thorsten Rinne validated this vulnerability 6 months ago

ahmedvienna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.12 with commit dcf7dd 6 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 6 months ago

ahmedvienna

commented 6 months ago

Researcher

Hello,

Did you publish the CVE for this Vulnerability? Cause i can not recognize the CVE assignet to it.

Thank you very much.

ahmedvienna

commented 5 months ago

Researcher

Hello.

Did you update the Demo Website to 3.1.12 ?

Cause i found a Vulnerability there and i do not know if you have updated the Demo Website or not yet.

Thank you very much for your time and effort.

Best regards Ahmed Hassan

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago

Thorsten Rinne validated this vulnerability 6 months ago

ahmedvienna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.12 with commit dcf7dd 6 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 6 months ago

ahmedvienna

commented 6 months ago

Researcher

Hello,

Did you publish the CVE for this Vulnerability? Cause i can not recognize the CVE assignet to it.

Thank you very much.

ahmedvienna

commented 5 months ago

Researcher

Hello.

Did you update the Demo Website to 3.1.12 ?

Cause i found a Vulnerability there and i do not know if you have updated the Demo Website or not yet.

Thank you very much for your time and effort.

Best regards Ahmed Hassan

to join this conversation