Stored Cross-site scripting in thorsten/phpmyfaq


Reported on

Oct 20th 2022


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

Visit: http://<ip>/phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "><script>alert("XSS")</script> and Save Every time you go to http://<ip>/phpmyfaq/admin/?action=meta, payload XSS will execute Image POC:


Attacker can inject Javascript steal cookie, deface website ....

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago
Hoang Van Hiep modified the report
a month ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a month ago
thorsten/phpmyfaq maintainer has acknowledged this report a month ago
Thorsten Rinne gave praise a month ago
Thank you, here's the fix:
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hoang Van Hiep
a month ago


can we assign cve?

Hoang Van Hiep
a month ago


Hi @maintainer @admin if possible can we assign CVE id for this vulnerability?

a month ago


@maintainer can you please mark this report as valid, fixed and then publish it? Also at the request of the researcher, can we assign a CVE?

Thorsten Rinne validated this vulnerability a month ago
Hoang Van Hiep has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.8 with commit 372428 a month ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Thorsten Rinne published this vulnerability a month ago
to join this conversation