Stored Cross-site scripting in thorsten/phpmyfaq


Reported on

Oct 20th 2022


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

Visit: http://<ip>/phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "><script>alert("XSS")</script> and Save Every time you go to http://<ip>/phpmyfaq/admin/?action=meta, payload XSS will execute Image POC:


Attacker can inject Javascript steal cookie, deface website ....

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago
Hoang Van Hiep modified the report
3 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 3 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 3 months ago
Thorsten Rinne gave praise 3 months ago
Thank you, here's the fix:
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hoang Van Hiep
3 months ago


can we assign cve?

Hoang Van Hiep
3 months ago


Hi @maintainer @admin if possible can we assign CVE id for this vulnerability?

3 months ago


@maintainer can you please mark this report as valid, fixed and then publish it? Also at the request of the researcher, can we assign a CVE?

Thorsten Rinne validated this vulnerability 3 months ago
Hoang Van Hiep has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.8 with commit 372428 3 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Thorsten Rinne published this vulnerability 2 months ago
to join this conversation