Stored xss in module FAQ News in thorsten/phpmyfaq

Valid

Reported on

May 4th 2023


Description

When admins create a FAQ News they can pass xss to the "text of the record" section

Proof of Concept

1.Login to admin account

2.In the CONTENT section, click on FAQ News

3.Add any type of source code and notice select Faq status as published

4.Turn on intercept with burp and click save

5.We change the parameter answer=...<code>payload</code>... and press forward

   <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>

6.Go to user account demo

7.On the homepage of the search section

xss will trigger

VIDEO POC

https://drive.google.com/file/d/1wFY-7Yh_vhcbdyApXo_iv7elbi57WXI9/view?usp=sharing

Impact

This vulnerability is capable of stolen the user cookie

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 7 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne validated this vulnerability 7 months ago
H4ck3r Kh0ỏng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.14 with commit c12007 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on May 31st 2023
H4ck3r Kh0ỏng
7 months ago

Researcher


cool, can you assign a CVE to it?

Thorsten Rinne published this vulnerability 6 months ago
to join this conversation