Stored Cross-site scripting in thorsten/phpmyfaq


Reported on

Oct 20th 2022


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

Visit: http://<ip>/phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "><script>alert("XSS")</script> and Save Every time you go to http://<ip>/phpmyfaq/admin/?action=meta, payload XSS will execute Image POC:


Attacker can inject Javascript steal cookie, deface website ....

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
Hoang Van Hiep modified the report
a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
thorsten/phpmyfaq maintainer has acknowledged this report a year ago
Thorsten Rinne gave praise a year ago
Thank you, here's the fix:
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hoang Van Hiep
a year ago


can we assign cve?

Hoang Van Hiep
a year ago


Hi @maintainer @admin if possible can we assign CVE id for this vulnerability?

a year ago


@maintainer can you please mark this report as valid, fixed and then publish it? Also at the request of the researcher, can we assign a CVE?

Thorsten Rinne validated this vulnerability a year ago
sk4rl1ght has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.8 with commit 372428 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation