Stored xss in module FAQ News in thorsten/phpmyfaq

Valid

Reported on

May 4th 2023

Description

When admins create a FAQ News they can pass xss to the "text of the record" section

Proof of Concept

1.Login to admin account

2.In the CONTENT section, click on FAQ News

3.Add any type of source code and notice select Faq status as published

4.Turn on intercept with burp and click save

5.We change the parameter answer=...<code>payload</code>... and press forward

   <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>

6.Go to user account demo

7.On the homepage of the search section

xss will trigger

VIDEO POC

https://drive.google.com/file/d/1wFY-7Yh_vhcbdyApXo_iv7elbi57WXI9/view?usp=sharing

Impact

This vulnerability is capable of stolen the user cookie

References

https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 7 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago

Thorsten Rinne validated this vulnerability 7 months ago

H4ck3r Kh0ỏng has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.14 with commit c12007 7 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on May 31st 2023

H4ck3r Kh0ỏng

commented 7 months ago

Researcher

cool, can you assign a CVE to it?

Thorsten Rinne published this vulnerability 6 months ago

to join this conversation