Stored xss in module FAQ News in thorsten/phpmyfaq
Reported on
May 4th 2023
Description
When admins create a FAQ News they can pass xss to the "text of the record" section
Proof of Concept
1.Login to admin account
2.In the CONTENT section, click on FAQ News
3.Add any type of source code and notice select Faq status as published
4.Turn on intercept with burp and click save
5.We change the parameter answer=...<code>payload</code>... and press forward
<iframe srcdoc='<body onload=prompt(1)>'>
6.Go to user account demo
7.On the homepage of the search section
xss will trigger
VIDEO POC
https://drive.google.com/file/d/1wFY-7Yh_vhcbdyApXo_iv7elbi57WXI9/view?usp=sharing
Impact
This vulnerability is capable of stolen the user cookie