Stored Cross-site scripting in thorsten/phpmyfaq
Reported on
Oct 20th 2022
Description
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Proof of Concept
Visit: http://<ip>/phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "><script>alert("XSS")</script> and Save Every time you go to http://<ip>/phpmyfaq/admin/?action=meta, payload XSS will execute Image POC: https://drive.google.com/file/d/1iezIdmxcCBY8G714AUFGIm3fI145yiC1/view?usp=sharing
Impact
Attacker can inject Javascript steal cookie, deface website ....
Hi @maintainer @admin if possible can we assign CVE id for this vulnerability?
@maintainer can you please mark this report as valid, fixed and then publish it? Also at the request of the researcher, can we assign a CVE?